In recent findings by IBM X-Force researchers, a sophisticated malware loader named WailingCrab, also known as WikiLoader, has been making waves in the cybersecurity landscape. This threat, attributed to the threat actor TA544 (Bamboo Spider/Zeus Panda), is actively maintained, demonstrating a high level of sophistication. The malware is distributed through delivery- and shipping-themed email messages, with a multi-stage attack chain designed to compromise systems and establish persistence.

Key Components of WailingCrab:

WailingCrab is a multifaceted threat, consisting of a loader, injector, downloader, and a core backdoor. The success of the attack relies on communication with command-and-control (C2) servers, often leading to the retrieval of the next stage of the malware.

Evolution of Tactics:

Originally documented by Proofpoint in August 2023, WailingCrab has evolved since its initial appearance in late December 2022. Notably, the malware has shifted its strategy to incorporate features prioritizing stealth, making it resistant to analysis efforts. To avoid detection, the attackers leverage legitimate, hacked websites for initial C2 communications. Additionally, components of the malware are stored on well-known platforms like Discord.

MQTT Protocol Adoption:

A significant development in WailingCrab’s tactics is the adoption of the MQTT (Message Queuing Telemetry Transport) protocol for C2 communication. This lightweight messaging protocol, uncommon in the threat landscape, enhances the malware’s stealth capabilities. The use of MQTT was previously observed in instances like Tizi and MQsTTang.

Attack Chain Overview:

The attack typically begins with delivery-themed emails containing PDF attachments housing URLs. When recipients click on these URLs, a JavaScript file is downloaded, initiating the WailingCrab loader hosted on Discord. This loader then executes a next-stage shellcode, activating an injector module that, in turn, initiates a downloader to deploy the core backdoor.

Changes in Payload Delivery:

Unlike previous versions, the latest WailingCrab variant contains an encrypted backdoor component. Instead of downloading the backdoor from Discord, it reaches out to the C2 to obtain a decryption key for decrypting the backdoor. Newer backdoor variants also opt for a shellcode-based payload directly from the C2 via MQTT, avoiding the previous reliance on Discord.

Remediation Steps:

• Educate and Train Users: Provide comprehensive training to employees on recognizing phishing emails and suspicious attachments, emphasizing the importance of not clicking on unfamiliar links.
• Implement Email Filtering: Employ advanced email filtering solutions to detect and block phishing emails before they reach users’ inboxes.
• Keep Software Updated: Regularly update operating systems, browsers, and security software to patch vulnerabilities that could be exploited by malware.
• Network Monitoring: Implement robust network monitoring to detect and block unusual communication patterns, especially those related to C2 servers.
• Endpoint Protection: Utilize reliable antivirus and endpoint protection solutions to detect and quarantine malicious files.
• Incident Response Plan: Develop and regularly test an incident response plan to ensure a swift and effective response to a potential malware incident.
• Discourage Discord Downloads: Given the abuse of Discord’s content delivery network for malware distribution, consider limiting or blocking downloads from Discord within your network.

Conclusion:

As the WailingCrab malware continues to evolve, it is crucial for organizations to stay vigilant and proactive in implementing cybersecurity measures. By combining user education, advanced threat detection, and a robust incident response plan, businesses can enhance their resilience against evolving threats like WailingCrab.