October 3, 2023

Researchers have spotted malware downloader spoofing Italian organizations, including the tax agency, to deliver a banking Trojan to target Italian organizations.

The downloader is called WikiLoader , which uses multiple mechanisms to evade detection. The financially motivated threat actor behind it, which tracked as TA544. The loader ultimately leads to the Ursnif banking Trojan, one of two Trojans favored by TA544.

As per the researchers, It is named WikiLoader due to the malware making a request to Wikipedia and checking that the response has the string “The Free” in the contents, and since December 2022, at least more than half a dozen campaigns observed distributing Wikiloader.

Threat actors have pivoted away from using malicious Microsoft Office macro-laced attachments in tandem with Microsoft’s effort to block macros from executing, but TA544 has continued to use them in attack chains.


The campaigns began with emails containing Microsoft Excel or OneNote attachments or a regular PDF. The WikiLoader was distributed by at least two threat actors – TA544 and TA551 – and both were targeting Italy.

Its authors appear to make regular changes to try and remain undetected and fly under the radar. It is likely that more criminal threat actors will use this, especially those known as initial access brokers that conduct regular activity that leads to ransomware.

The source code for the Ursnif malware leaked online in 2015, allowing attackers to develop more customized and harder-to-detect versions of the Trojan.

Ursnif, which also goes by the names DreamBot and Gozi ISFB, is designed to steal passwords and credentials from victims and focuses on the banking and financial sectors.

A recent TA544 campaign used an updated version of WikiLoader and spoofed an Italian courier service. That version was more complex and used additional stalling mechanisms in an attempt to evade automated analysis and the use of encoded strings.


WikiLoader Malware Evolution 

Researchers have observed at least three different versions of the malware, which indicates it is undergoing active development. The following is a timeline with the relevant differences and updates observed in each version.

First version | 27 December 2022:

  • No string encoding within the shellcode layers
  • Structures used for indirect syscalls were simpler 
  • Shellcode layers didn’t contain as much obfuscation
  • Fewer APIs were used within the shellcode layer
  • Potentially one less stage of shellcode
  • The fake domain was manually created rather than via automation 

Second version | 8 February 2023

  • Added complexity to the syscall structure
  • Implemented more busy loops
  • Began using encoded strings
  • Started deleting artifacts from file download

Third version | 11 July 2023

  • Strings still encoded via skip encoding
  • New technique for implementing indirect syscalls
  • The second filename is pulled via the MQTT protocol rather than reaching the compromised webhosts
  • Cookies are exfiltrated from the loader which contain basic host information
  • Full execution of the loader takes almost an hour given the abundance of busy loops
  • Shellcode stages are written byte by byte via NtWriteVirtualMemory rather than a single pass

It is recommended that organizations ensure macros are disabled by default for all employees and block the execution of embedded external files within OneNote documents.

This research was documented by researchers from Proofpoint

Indicators of Compromise

  • hxxps://cdn[.]discordapp[.]com/attachments/1128405963062378558/1128406314452799499/dw4qdkjbqwijhdhbwqjid.iso
  • hxxps://inspiration-canopee[.]fr/vendor/fields/assets/idnileeal/sifyhewmiyq/3jnd9021j9dj129.php
  • hxxps://cdn[.]discordapp[.]com/attachments/1124390807626076192/1128383419970240662/s42.iso
  • hxxps://www[.]p-e-c[.]nl/wp-content/themes/twentytwentyone/hudiiiwj1.php?id=1
  • hxxps://vivalisme[.]fr/forms/forms/kiikxnmlogx/frrydjqb/vendor/9818hd218hd21.php?id=1
  • hxxps://inspiration-canopee[.]fr/vendor/fields/assets/idnileeal/sifyhewmiyq/3jnd9021j9dj129.php?id=1
  • hxxps://tournadre[.]dc1-mtp[.]fr/wp-content/plugins/kona-instagram-feed-for-gutenbargwfn/4dionaq9d0219d.php?id=1
  • hxxps://studiolegalecarduccimacuzzi[.]it/Requests/tmetovcqhnisl/vendor/gyuonfuv/languages/vgwtdpera/Requests/5i8ndio12niod21.php?id=1
  • hxxps://www[.]astrolabecommunication[.]fr/wp-includes/9d8n190dn21.php?id=1
  • 1d1e2c0946cd4e22fff380a3b6adf38e7c8b3f2947db7787d00f7d9db988dad2
  • hxxps://nikotta[.]com/subtotal
  • 69a6476d6f7b312cc0d9947678018262737417e02ebfe168f8d17babed24d657
  • d49c2e47c8e14cc01f0a362293c613ea9604e532ff77b879d69895473dfbeb03
  • 95125db52cdc7870b35c3762bad0ea18944aaed9503c3f69b30beb6ca7bae7e7
  • 1e5035723637c2f4a26d984e29d17cf164f3846f82eb0b7667efa132a2ea0187
  • 18a088a190263275172a28d387103e83b8940e51e96cb518ed41a1960c772bba
  • eaa1be7a91c4f1370d2ad566f8625e3e5bb7c58d99a9e2e3a80e83ce80904e11
  • 1eb5d4ae5114979908bfbf8a617b2084b101e9eda92532cf81b2a527c27d91a5
  • 46c2e0ffadf801900fbff964ba2af5e24fee3209d1011bb46529ba779ff79e93
  • 8d4701f33c05851f41eedb98bfff0569b7f4fae3352e2081f01b3add0a97936c
  • 9a74befc4a4dab4c5032d64fcf9723b67e73ae9d5280fb9fb54f225febba03fe
  • f88526be804223cae5b4314b9bc0f01c24352caa7ec2c7a2f8b6b54c2e902acc
  • 9782f11930910c7d24dea71a7a21f40f19623b214cb1848bf9f4d49b858c8379
  • 9feb868d39b13e395396ea86ddbf05c4820dd476b58b6b437eff1e0b91e2615c
  • hxxps://www[.]ilfungodilacco[.]it/wp-content/themes/twentytwentyone/fnc.php?id=1
  • hxxps://www[.]centrograndate[.]it/plugins/content/jw_sigpro/jw_sigpro/includes/js/jquery_colorbox/example4/images/border3.php?id=1
  • hxxp://www[.]bbpline.com
  • 86966795bbd054104844cdab7efcafb0b1879a10aae5c0fefbbc83d1ebccbc98
  • e0a1ffff9d5c6eaaa2e57548d8db2febbe89441a76f58feae8256ab69f64c88b
  • 2505b1471e26a303d59e5fc5f0118729a9eead489ffc6574ea2a7746e5db722d
  • 6e494eb76d75ee02b28e370ab667bcbcdc6f5143ad522090f4b8244eb472d447
  • 44abd30e18e88e832a65a29ce56c9c570d7f0a3b93158e5059722d89782a750c
  • d16c5485f3f01fe0d0ce9387e9c92b561ef4d42f0a22dde77f18a424079c87cd
  • 0e518e2627350ec0ab61fce3713644726eb3916563199187ef244277281cd35b
  • https://sunniznuhqan[.]com
  • 0b02cfe16ac73f2e7dc52eaf3b93279b7d02b3d64d061782dfed0c55ab621a8e
  • hxxps://osteopathe-claudia-grimand[.]fr/wp-content/themes/twentynineteen/blog.php?id=1
  • hxxps://www[.]yourbed[.]it/wp-content/themes/twentytwentyone/blog.php?id=1
  • 2c44c1312a4c99e689979863e7c82c474395d6f46485bd19d0ee26fc3fa52279
  • 27070a66fc07ff721a16c4945d4ec1ca1a1f870d64e52ed387b499160a03d490
  • a599666949f022de7ccc7edb3d31360e38546be22ad2227d4390364b42f43cfd
  • bbe1eb4a211c3ebaf885b7584fc0936b9289b4d4f4a7fc7556cc870de1ff0724
  • a2ed8e1d23d2032909c8ad264231bc244c113a4b40786a9bc9df3418cc915405
  • 1106e4b7392f471a740ec96f9e6a603fe28f74b32eef7b456801a833f13727fc
  • 9386ccb677bde1c51ca3336d02fea66f9489913f2241caa77def71d09464d937
  • ee008ff7b30d4fce17c5b07ed2d6a0593dc346f899eff3441d8fb3c190ef0e0e

Leave a Reply

%d bloggers like this: