WikiLoader

 Profile: WikiLoader Malware

• Name: WikiLoader
• First Identified: December 2022
• Primary Targets: Initially Italian organizations, potential for wider targeting

• Infection Method:
• Distributed primarily through malicious Microsoft Excel attachments or PDF files.
• Embeds links leading to JavaScript payloads.

• Primary Function:
• Serves as a downloader to install a secondary malware payload, typically Ursnif malware.

• Evasion Techniques:
• Utilizes packed downloaders to obscure its code.
• Employs skip encoding for additional obfuscation.
• Executes indirect syscalls to hinder detection and analysis efforts.

• Impact:
• Can extract sensitive data, including login credentials and financial information.
• Capable of installing additional harmful malware.

• Notable Characteristics:
• Particularly stealthy and capable of evading standard antivirus detection.
• Communicates with remote servers to receive further malicious instructions or payloads.

• Defensive Recommendations:
• Maintain robust email security to filter potential malware-laden attachments and links.
• Utilize advanced endpoint protection capable of detecting sophisticated threats.
• Conduct regular security training for staff to recognize and respond to phishing attempts.
• Keep all systems and security software up to date with the latest patches and updates.

Current Status: Active; monitoring and defense against this malware are advised.

WikiLoader, a sophisticated malware, exhibits several tactics and techniques that align with the MITRE ATT&CK framework. The following are some of the key techniques associated with WikiLoader:

• T1566 - Phishing: WikiLoader is known to spread through phishing emails containing malicious Microsoft Excel attachments or PDF files. This technique falls under the initial access tactic of the MITRE framework.
• T1204 - User Execution: The success of WikiLoader's infiltration often depends on user interaction, such as opening an attachment or clicking a malicious link.
• T1027 - Obfuscated Files or Information: WikiLoader uses packed downloaders and skip encoding to obfuscate its code, making it harder for antivirus programs to detect its presence.
• T1055 - Process Injection: The use of indirect system calls by WikiLoader can be seen as a form of process injection, where it executes its code in the address space of another process to evade detection.
• T1105 - Ingress Tool Transfer: WikiLoader communicates with a remote server to download additional payloads, which is a technique used for bringing tools or other files from an external adversary-controlled system into a compromised environment.
• T1071 - Application Layer Protocol: The malware's use of network protocols for communication with its command and control server aligns with this technique.
• T1112 - Modify Registry: Depending on its payload and behavior, WikiLoader may modify registry settings to maintain persistence or control system processes.