Campaign Uses Malicious Microsoft Office Attachments
A malware downloader is spoofing Italian organizations, including the tax agency, to deliver a banking Trojan to target Italian companies, said researchers.
Proofpoint calls the downloader WikiLoader. It said in a post on Monday that it uses multiple mechanisms to evade detection. The financially motivated threat actor behind it, which Proofpoint tracks as TA544, likely developed WikiLoader with an eye to renting it to “select cybercriminal threat actors.” The loader ultimately leads to the Ursnif banking Trojan, one of two Trojans favored by TA544.
“It is named WikiLoader due to the malware making a request to Wikipedia and checking that the response has the string “The Free” in the contents,” the researchers wrote.
Proofpoint said that it has observed at least eight campaigns distributing WikiLoader since December 2022.
The campaigns began with emails containing Microsoft Excel or OneNote attachments or a regular PDF. The researchers observed WikiLoader being distributed by at least two threat actors – TA544 and TA551, and both were targeting Italy. Hackers have pivoted away from using malicious Microsoft Office macro-laced attachments in tandem with Microsoft’s effort to block macros from executing, but TA544 “has continued to use them in attack chains,” the researchers said.
“The Microsoft Excel attachments contained characteristic VBA macros which, if enabled by the recipient, would download and execute a new unidentified downloader that Proofpoint researchers eventually dubbed WikiLoader. This campaign was attributed to TA544,” the researchers said. VBA refers to the Visual Basic for Applications programming language that’s built into the Office suite.
“Its authors appear to make regular changes to try and remain undetected and fly under the radar. It is likely more criminal threat actors will use this, especially those known as initial access brokers that conduct regular activity that leads to ransomware,” said Selena Larson, senior threat intelligence analyst at Proofpoint.
The source code for the Ursnif malware leaked online in 2015, allowing attackers to develop more customized and harder-to-detect versions of the Trojan (see: New Ursnif Variant Spreads Through Infected Word Documents).
Ursnif, which also goes by the names DreamBot and Gozi ISFB, is designed to steal passwords and credentials from victims and focuses on the banking and financial sectors.
A February TA544 campaign used an updated version of WikiLoader and spoofed an Italian courier service. That version was more complex and used additional stalling mechanisms in an attempt to evade automated analysis and the use of encoded strings.
Proofpoint researchers recommend that organizations ensure macros are disabled by default for all employees and block the execution of embedded external files within OneNote documents.