I Proofpoint researchers have identified a malware that is affecting Italy: WikiLoader. Distributed by TA544, an actor known for using Ursnif malware, researchers first saw it in December 2022. And since then, several campaigns have mainly targeted Italy.
WikiLoader is the new malware affecting Italy
WikiLoader is a downloader designed for install a second malware payload. It features advanced evasion techniques, along with custom code implementation for hinder detection and analysis.
Currently, WikiLoader is under active development and its authors make regular changes to avoid detection and go unnoticed. It is likely to be used by an increasing number of cybercriminals, especially for IAB (Initial Access Broker) that facilitate ransomware-related activities.
Selena Larsonsenior threat intelligence analyst at Proofpoint, comments, “Defenders should be aware of this new malware and the activities included in the payload delivery, and take steps to protect their organizations.”
Since December 2022, Proofpoint researchers have been pinpointing eight WikiLoader distribution campaigns. The campaigns, attributed to TA544 e TA551they mainly targeted Italy.
Attacks start with malicious emails containing Microsoft Excel, Microsoft OneNote or PDF attachments. VBA macros in documents trigger ed download they run WikiLoader, which then downloads the Ursnif malware.
The latest attack, on July 11, 2023, showed further changes to the malware, including accounting-related topics in messages and the use of PDF attachments with malware download URLs. The campaigns impacted numerous Italian organizations and proved to be high-volume, with over 150,000 messages.
You can learn more on the Proofpoint website.