WailingCrab Malware Spreads through Shipping-Themed Emails

A complex malware named WailingCrab is making waves, arriving disguised within emails themed around shipping and delivery. Discovered initially by Proofpoint in August 2023, this malware, also known as WikiLoader, has been orchestrating attacks targeting various Italian organizations. Its ultimate aim is to unleash the Ursnif trojan, proving to be a creation of the threat actor TA544, aka Bamboo Spider or Zeus Panda, under the cluster name Hive0133, as revealed by IBM X-Force researchers Charlotte Hammond, Ole Villadsen, and Kat Metrick.

This sophisticated malware isn’t a simple entity; it’s a multi-component system consisting of a loader, injector, downloader, and backdoor. The success of this malicious software relies heavily on connections to controlled servers for retrieving subsequent stages. Its capabilities don’t end there – it actively evolves, adapting stealthy features that make it resilient against detection efforts.

One notable aspect of WailingCrab’s evolution is its adoption of MQTT, an unusual protocol in the realm of cyber threats. Typically used for small sensors and mobile devices, its employment in WailingCrab’s command-and-control (C2) framework marks a strategic shift to avoid scrutiny and enhance stealth.

Interestingly, the malware doesn’t limit itself to traditional platforms; components are found scattered across various well-known platforms like Discord. These changes aim to ensure the malware’s survival and effectiveness, making it a challenge for cybersecurity experts to track and neutralize.

The attack starts innocuously enough, with emails carrying PDF attachments that, once opened, trigger the download of a JavaScript file. This file serves as the gateway to the WailingCrab loader hosted on Discord, setting off a chain reaction where subsequent modules like injectors and downloaders take over, ultimately deploying the backdoor.

What’s more intriguing is the alteration in the method of backdoor deployment. Unlike previous versions that directly fetched the backdoor from Discord, the latest iteration of WailingCrab arrives with an encrypted backdoor. Instead of downloading it from a source, it reaches out to its C2 server to obtain a decryption key, enhancing its ability to operate undetected.

This backdoor is the core of the malware, ensuring its persistence on infected systems while connecting to the C2 server using MQTT to receive additional commands and payloads. The newer versions have refined their tactics, sidestepping Discord altogether and fetching payloads directly from the C2 server, leveraging the MQTT protocol for enhanced stealth and evasion.

Acknowledging the looming threat of detection, the developers of WailingCrab have strategically moved away from Discord-based operations. Discord, a favored platform for hosting malware, is anticipated to face increased scrutiny. In response, the social media company plans to shift to temporary file links by the year’s end to mitigate misuse of its content delivery network for distributing malicious software.

To prevent this malware, remain cautious of unsolicited messages, especially those requesting urgent actions or personal details. Avoid clicking on suspicious links or downloading attachments from unverified sources on messaging platforms like WhatsApp and Telegram.