November 23, 2023 at 08:24AM
Shipping-themed email messages are being used to distribute the WailingCrab malware. The malware consists of multiple components and is associated with the threat actor TA544. It prioritizes stealth and utilizes hacked websites and platforms like Discord for communication. The newer variants of the malware use the MQTT protocol for command-and-control, increasing its stealthiness. Discord plans to switch to temporary file links to prevent the abuse of its content delivery network for malware distribution.
Key Takeaways from Meeting Notes:
– The meeting discussed the discovery of a sophisticated malware loader known as WailingCrab, which is being delivered through delivery- and shipping-themed email messages.
– WailingCrab has multiple components, including a loader, injector, downloader, and backdoor. Successful requests to C2-controlled servers are necessary to retrieve the next stage.
– The malware was first documented by Proofpoint in August 2023 and was used in campaigns targeting Italian organizations to deploy the Ursnif trojan.
– The threat actor behind WailingCrab is known as TA544, Bamboo Spider, or Zeus Panda, and is tracked under the cluster name Hive0133.
– WailingCrab is actively maintained by its operators and incorporates features to prioritize stealth and resist analysis. Hacked websites and platforms like Discord are used for initial command-and-control communications.
– A noteworthy change in the malware is the use of the MQTT protocol for C2, which is rare in the threat landscape.
– The attack chains begin with emails containing PDF attachments with URLs that download a JavaScript file to launch the WailingCrab loader hosted on Discord.
– The loader then initiates the execution of an injector module, which deploys a downloader to ultimately install the backdoor component.
– Newer variants of the backdoor use MQTT for downloading payloads directly from the C2 server, bypassing Discord.
– The shift to using MQTT and removing Discord callouts increases the stealthiness of WailingCrab.
– Discord is aware of the abuse of its content delivery network (CDN) for distributing malware and plans to switch to temporary file links.
Note: It is important to review and sanitize this information for any sensitive or confidential content before sharing it externally.