WailingCrab [1] [2] [3] [4] [5] [6] [7] [8] [9], also known as TA544 [2] [4] [5] [6] [8] [9], Bamboo Spider [2] [4] [5] [6] [8] [9], and Zeus Panda [2] [4] [8], is a highly stealthy and actively maintained malware loader that was first discovered in December 2022. It has expanded its reach from targeting Italy to targets worldwide. This malware is spread through delivery and shipping-themed email messages [5] [6] [9], often using PDF attachments with malicious URLs [3] [7]. The threat actor behind WailingCrab [3], known as Hive0133 [3], is actively developing the malware to evade defense teams and expanding its campaign scope.

Description

One notable change in the malware is the use of the MQTT protocol to communicate with its command and control (C2) server. This protocol [3] [4] [5] [6] [7] [8] [9], typically used in IoT environments [3], is rarely seen in the threat landscape [4] [6], making its use by WailingCrab significant. The malware has also been updated to communicate through client-specific topics [3], reducing visibility of its activities [3].

The attack chain begins with emails containing PDF attachments that download a JavaScript file from Discord [2] [4] [5] [6] [8]. This file then launches the WailingCrab loader [2] [4] [5] [6] [8], which initiates the execution of a downloader to deploy the backdoor [2] [4] [5] [6] [8]. The backdoor establishes persistence on the infected host and communicates with the C2 server using MQTT protocol [5] [6] [8]. In newer variants [2] [4] [5] [6] [8], the backdoor directly receives payloads from the C2 via MQTT [5] [6], eliminating the need for Discord-based downloads [5] [6]. This demonstrates a focus on stealth and detection evasion [5] [6] [8] [9].

WailingCrab has been observed using legitimate hacked websites for initial command and control communications and storing components on platforms like Discord [6]. However, Discord has acknowledged the abuse of its content delivery network (CDN) for distributing malware and plans to switch to temporary file links by the end of the year [4] [8] [9].

To defend against this threat, organizations are advised to educate users on phishing tactics associated with this attack and consider blocking or monitoring the use of the MQTT protocol [3].

Conclusion

Researchers have observed developments in the WailingCrab malware [1] [7], specifically in its command and control (C2) communication techniques [7]. The malware, also known as WikiLoader [1] [7], primarily spreads through an initial access broker called Hive0133 [1] [7]. It targets organizations through email campaigns that exploit themes like overdue delivery or shipping invoices [7]. Recently, WailingCrab has been using PDF attachments with malicious URLs in its email campaigns [7]. The main component of WailingCrab is its backdoor [7], which is installed only after the successful completion of its initial phases [7]. Since mid-2023 [3] [7] [8], the backdoor component has been using the MQTT protocol for communication with the C2 [7], a move aimed at avoiding detection [7]. The latest versions of WailingCrab no longer rely on Discord for payload retrieval [7], making it even stealthier [7]. Organizations should remain vigilant and take necessary precautions to protect against this evolving threat.

References

[1] https://threatnote.com/infosec-news/from-cyber-security-news-wailingcrab-malware-abuse-messaging-protocol-for-c2-communications/
[2] https://ciso2ciso.com/alert-new-wailingcrab-malware-loader-spreading-via-shipping-themed-emails-sourcethehackernews-com/
[3] https://duo.com/decipher/stealthy-malware-leverages-mqtt-protocol-in-spam-campaigns
[4] https://cybersocialhub.com/csh/alert-new-wailingcrab-malware-loader-spreading-via-shipping-themed-emails/
[5] https://vulners.com/thn/THN:5CC27CF2C921C88FC93266E4E2C57946
[6] https://thehackernews.com/2023/11/alert-new-wailingcrab-malware-loader.html
[7] https://cybersecuritynews.com/wailingcrab-abuse-messaging-protocol/
[8] https://owasp.or.id/2023/11/23/new-wailingcrab-malware-loader-spreading-via-shipping-themed-emails/
[9] https://www.ihash.eu/2023/11/new-wailingcrab-malware-loader-spreading-via-shipping-themed-emails/