Out of the Sandbox: WikiLoader Digs Sophisticated Evasion
July 2023 by Proofpoint, Inc.
Cybersecurity company Proofpoint has today published new research detailing the identification of a new malware Proofpoint’s threat researchers are calling “WikiLoader”, a sophisticated new malware that recently appeared on the cybercrime threat landscape, so far associated with campaigns delivering banking trojan Ursnif.
Key findings within the blog include:
• WikiLoader was first identified in December 2022 being delivered by TA544, an actor that typically uses Ursnif malware to target Italian organizations. Proofpoint has since observed multiple subsequent campaigns.
• It is a sophisticated downloader with the objective of installing a second malware payload. The malware uses multiple mechanisms to evade detection and was likely developed as a malware that can be rented out to select cybercriminal threat actors.
• It is named WikiLoader due to the malware making a request to Wikipedia and checking that the response has the string “The Free” in the contents.
Selena Larson, Senior Threat Intelligence Analyst at Proofpoint explains, “WikiLoader is a sophisticated new malware that recently appeared on the cybercrime threat landscape, so far associated with campaigns delivering Ursnif. It is currently under active development, and its authors appear to make regular changes to try and remain undetected and fly under the radar. It is likely more criminal threat actors will use this, especially those known as initial access brokers (IABs) that conduct regular activity that leads to ransomware. Defenders should be aware of this new malware and activities involved in payload delivery and take steps to protect their organizations against exploitation.”