New WikiLoader Malware Goes to Extreme Lengths to Hide

Written by

Security researchers have uncovered new loader malware under active development which uses multiple mechanisms to evade detection.

Proofpoint said it detected “WikiLoader” in several campaigns since December 2022, targeting mainly Italian organizations.

Read more on malware loaders: Bumblebee Malware Loader Has a Sting in the Tail

WikiLoader is distributed via a variety of vectors, including macro-enabled documents, PDFs containing URLs leading to a JavaScript payload and OneNote attachments with embedded executables.

Its job is to download a second-stage payload; often the Ursnif malware variant.

The loader is so named because it makes an HTTPS request to Wikipedia.com and checks that the response has the string “The Free” in the contents. This is likely to be an evasive play designed to prevent it working in an automated analysis environment, Proofpoint claimed.

However, this is just one of many features designed to keep the malware under the radar.

“The first stage of WikiLoader is highly obfuscated. Most of the call instructions have been replaced with a combination of push/jmp instructions to recreate the actions of a return without having to explicitly use the return instruction,” explained Proofpoint.

“This causes issues with common analysis tools such as IDA Pro and Ghidra. In addition to these features, WikiLoader also uses indirect syscalls in an attempt to evade endpoint detection and response (EDR) solutions and sandbox hooks.”

The malware also uses packed downloaders: a common technique employed by threat actors to evade detection and analysis.

Proofpoint detected at least three versions of WikiLoader, hinting that it is under rapid development as its authors look to make it more complex and the payload harder for researchers to retrieve. The most recent version, spotted on July 11, had the following notable features:

  • Strings still encoded via skip encoding
  • New technique for implementing indirect syscalls
  • The second filename is pulled via the MQTT protocol rather than reaching the compromised webhosts
  • Cookies are exfiltrated from the loader which contain basic host information
  • Full execution of the loader takes almost an hour given the abundance of busy loops
  • Shellcode stages are written byte by byte via NtWriteVirtualMemory rather than a single pass

Proofpoint warned that the malware could become a useful tool for initial access brokers (IABs) to deliver malware during attacks.

“Organizations should ensure macros are disabled by default for all employees, block the execution of embedded external files within OneNote documents, and ensure JavaScript files are opened by default in a notepad or similar application, by adjusting default file extension associations via group policy object (GPO),” it concluded.

Editorial image credit: Ink Drop / Shutterstock.com

What’s hot on Infosecurity Magazine?