Novel WikiLoader malware examined

Italian organizations have been targeted by the TA544 and TA551 threat operations in phishing campaigns deploying the novel sophisticated downloader malware WikiLoader since December, reports The Record, a news site by cybersecurity firm Recorded Future. Malicious Microsoft Excel attachments masquerading to be from an Italian courier service have been leveraged by attackers in a February campaign to facilitate WikiLoader installation that then prompts the distribution of the Ursnif malware, according to a Proofpoint report. WikiLoader was noted to have the ability to send requests to Wikipedia in an effort to determine the presence of the "The Free" string, which may be used by the malware for public internet connection verification, noted researchers. The findings also noted that WikiLoader has at least three different versions, suggesting active development and the potential for facilitating the delivery of other payloads. "This malware is in rapid development, and the threat actors are attempting to make the loader more complicated, and the payload more difficult to retrieve," said researchers.