Persistent updates have been made by the TA544 threat operation, also known as Zeus Panda and Bamboo Spider, to the advanced malware loader WailingCrab, also known as WikiLoader, to enhance stealth in attacks mainly facilitated by shipping-themed emails, The Hacker News reports.
Aside from leveraging hacked websites for initial command-and-control communications, the new WailingCrab malware has been embedded with an AES-encrypted backdoor, instead of having the backdoor deployed by a separate downloader component in the previous version of the malware, according to an IBM X-Force report. Such a backdoor then uses the MQTT protocol to enable C2 communications and further payload retrieval, instead of using a Discord-based download path to evade detection.
"Discord has become an increasingly common choice for threat actors looking to host malware, and as such it is likely that file downloads from the domain will start coming under higher levels of scrutiny. Therefore, it is not surprising that the developers of WailingCrab decided on an alternative approach," said researchers.
Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news