Experts have spotted a new malware campaign that uses delivery and shipping-themed phishing emails to drop the payload on target endpoints.
In a report, IBM X-Force researchers said that hackers known as TA544 (AKA Bamboo Spider, Zeus Panda) were sending out phishing emails claiming to have come from delivery service providers and who were discussing pending payments. The “details” would be sent as a .PDF attachment which, when activated, would download a JavaScript file whose purpose was to download and run the WailingCrab loader hosted on Discord.
WailingCrab is a multi-faceted piece of malware, they said: "The malware itself is split into multiple components, including a loader, injector, downloader and backdoor, and successful requests to C2-controlled servers are often necessary to retrieve the next stage," IBM X-Force researchers Charlotte Hammond, Ole Villadsen, and Kat Metrick said in the report.
MQTT protocol for stealth
The loader will launch a separate module, which would then ultimately download a backdoor. "In prior versions, this component would download the backdoor, which would be hosted as an attachment on the Discord CDN," the researchers said. "However, the latest version of WailingCrab already contains the backdoor component encrypted with AES, and it instead reaches out to its C2 to download a decryption key to decrypt the backdoor."
The backdoor establishes persistence and contacts the C2 server via MQTT protocol, which also allows it to receive more payloads if need be. Furthermore, newer versions are moving away from Discord and into a shellcode-based payload received directly from the C2 via MQTT.
"The move to using the MQTT protocol by WailingCrab represents a focused effort on stealth and detection evasion," the experts said. "The newer variants of WailingCrab also remove the callouts to Discord for retrieving payloads, further increasing its stealthiness."
Discord recently said it will move to temporary file links by the end of the year, in an attempt to stop the abuse of its content delivery network.
Via TheHackerNews
More from TechRadar Pro
- Discord is switching to temporary links to stop malware
- Here's a list of the best firewalls around today
- These are the best identity theft protection tools right now