Italy targeted by new malware strain

A threat group known for going after targets in Europe and Asia has been deploying a new form of malware against Italian organizations, cybersecurity company Proofpoint says.

First detected by the analyst in December and dubbed Wikiloader — because it attempts to leverage an aspect of the popular online enclyopedia — the strain is being used by the mysterious cyber gang known as TA544 as a primary means of offense.

However, Proofpoint adds “it is likely the use of this malware is available for sale to multiple cybercriminal groups.”

It says that the malware has been named WikiLoader due to its making a request to Wikipedia and checking that the response has the string “The Free” in the contents.

Proofpoint describes this as “an evasive maneuver” by Wikiloader to ensure a targeted device is connected to the internet and not in a simulated environment — used by cybersecurity professionals to detect and contain malicious software attacks.

Wikiloader’s purpose appears to be to soften up a target system’s defenses so that a second, previously documented, form of malware called Ursnif can be unleashed. The latter is a trojan used to steal sensitive data such as passwords from banking websites.

Proofpoint says it observed campaigns using Wikiloader to install Ursnif as a “follow-on payload” on December 27th, February 8th, and July 11th. The first of these used a spoofed or mimicked document pretending to be sent by the Italian Revenue Agency in a bid to lure targeted firms.

No one seems to know exactly which country, if any, TA544 is affiliated with, but previous Proofpoint investigations have established that the threat group has selected targets in Italy, Poland, Germany, Spain, and Japan since at least 2017.

Commenting on Proofpoint’s latest findings, its senior threat intelligence anlayst Selena Larson said: “WikiLoader is a sophisticated new malware that recently appeared on the cybercrime threat landscape, so far associated with campaigns delivering Ursnif. It is currently under active development, and its authors appear to make regular changes to try and remain undetected and fly under the radar.”

She also voiced fears that other cybercriminal groups are likely to use Wikiloader, particularly initial access brokers who faciliate ransomware attacks by stealing and selling on vital information needed by such gangs.

“Defenders should be aware of this new malware and activities involved in payload delivery, and take steps to protect their organizations against exploitation,” she added.