Unmasking WailingCrab: Navigating the Stealthy Seas of a Sophisticated Malware Loader's Delivery Tactics

Recently, cybersecurity researchers from IBM X-Force have discovered a new and sophisticated malware loader known as WailingCrab. This malware, also referred to as WikiLoader, was first documented by Proofpoint in August 2023, highlighting its use in campaigns targeting Italian organizations.

WailingCrab, attributed to threat actor TA544 (also known as Bamboo Spider and Zeus Panda), is part of the Hive0133 cluster. What sets this malware apart is its multi-component structure, comprising a loader, injector, downloader, and backdoor. To maintain its efficacy, the malware actively communicates with command-and-control (C2) servers, often necessitating successful requests to retrieve the next stage of the attack.

One notable aspect of WailingCrab's delivery method is its utilization of delivery- and shipping-themed email messages. According to IBM X-Force researchers Charlotte Hammond, Ole Villadsen, and Kat Metrick, these emails contain PDF attachments housing URLs. Clicking on these URLs initiates the download of a JavaScript file designed to retrieve and launch the WailingCrab loader.

The loader, in turn, sets off a series of actions, including the execution of an injector module and the deployment of a backdoor. Notably, WailingCrab has evolved over time to incorporate stealth features, making it resistant to analysis efforts. To further avoid detection, the malware utilizes legitimate, hacked websites for initial C2 communications.

"The move to using the MQTT protocol by WailingCrab represents a focused effort on stealth and detection evasion," the researchers concluded. "The newer variants of WailingCrab also remove the callouts to Discord for retrieving payloads, further increasing its stealthiness."

Interestingly, the researchers found that components of the malware are stored on well-known platforms such as Discord. However, in a bid to enhance stealth and evade detection, the latest versions of WailingCrab have shifted away from Discord-based download paths in favor of a shellcode-based payload directly from the C2 via MQTT.

This strategic move aligns with the evolving threat landscape, as social media platforms like Discord are increasingly scrutinizing file downloads from their domains. In response, WailingCrab developers have opted for an alternative approach, showcasing their adaptability and determination to avoid detection.

As cybersecurity professionals work to stay one step ahead of evolving threats, understanding the intricacies of malware like WailingCrab is crucial. The use of unconventional protocols like MQTT highlights the relentless pursuit of threat actors in achieving their objectives while maintaining a low profile.

Stay vigilant and keep your cybersecurity measures up-to-date to safeguard against emerging threats in this ever-evolving landscape.

Stay secure!