Get all your news in one place.
100’s of premium titles.
One app.
Start reading
TechRadar
TechRadar
Sead Fadilpašić

That delivery email could be malware - here's what you need to know

Ransomware .

Experts have spotted a new malware campaign that uses delivery and shipping-themed phishing emails to drop the payload on target endpoints.

In a report, IBM X-Force researchers said that hackers known as TA544 (AKA Bamboo Spider, Zeus Panda) were sending out phishing emails claiming to have come from delivery service providers and who were discussing pending payments. The “details” would be sent as a .PDF attachment which, when activated, would download a JavaScript file whose purpose was to download and run the WailingCrab loader hosted on Discord. 

WailingCrab is a multi-faceted piece of malware, they said: "The malware itself is split into multiple components, including a loader, injector, downloader and backdoor, and successful requests to C2-controlled servers are often necessary to retrieve the next stage," IBM X-Force researchers Charlotte Hammond, Ole Villadsen, and Kat Metrick said in the report.


MQTT protocol for stealth

The loader will launch a separate module, which would then ultimately download a backdoor. "In prior versions, this component would download the backdoor, which would be hosted as an attachment on the Discord CDN," the researchers said. "However, the latest version of WailingCrab already contains the backdoor component encrypted with AES, and it instead reaches out to its C2 to download a decryption key to decrypt the backdoor."

The backdoor establishes persistence and contacts the C2 server via MQTT protocol, which also allows it to receive more payloads if need be. Furthermore, newer versions are moving away from Discord and into a shellcode-based payload received directly from the C2 via MQTT. 

"The move to using the MQTT protocol by WailingCrab represents a focused effort on stealth and detection evasion," the experts said. "The newer variants of WailingCrab also remove the callouts to Discord for retrieving payloads, further increasing its stealthiness."

Discord recently said it will move to temporary file links by the end of the year, in an attempt to stop the abuse of its content delivery network.

Via TheHackerNews

More from TechRadar Pro

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
One subscription that gives you access to news from hundreds of sites
Already a member? Sign in here
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.