While Italy is on high alert for yet another wave of DDoS attacks, this time against the banking system, a new malware named WikiLoader threatens Italian organizations and users.

Several criminal groups have launched Phishing campaigns to spread WikiLoader with the intention of using it to infect victims’ machines with the known Ursnif banking trojan.

According to ProofPoint experts, who first identified the threat, the malware supports multiple mechanisms to evade detection which is why the malicious code is considered particularly insidious.

“WikiLoader was first identified in December 2022 while in use by the TA544 group, a financially motivated actor who typically uses the Ursnif Trojan to target Italian organizations. Proofpoint subsequently observed several campaigns, most of which targeted Italian organizations”. reads the analysis published by Proofpoint. “WikiLoader is a sophisticated downloader with the aim of installing a second piece of malware. The malware contains attractive evasion techniques and custom implementation of code designed to make detection and analysis challenging.”

The WikiLoader name derives from Wikipedia, because the running malware makes a request to Wikipedia and checks that the response contains the string “The Free” in the content.

Proofpoint tracked at least eight campaigns that distributed the malware since December 2022, the most notable of which were observed on December 27, 2022, February 8, 2023, and July 11, 2023.

The most alarming aspect of the WikiLoader discovery is that behind the various campaigns there are different criminal groups, this suggests that the malware is offered to the criminal underground under a malware-as-a-service model. According to experts, the authors of the malware they rent to various criminal groups by allowing them to use the malicious code and then infecting the victims of their respective campaigns with banking malware such as Ursnif.

In campaigns observed by Proofpoint, attackers have sent messages containing Microsoft Office or PDF attachments which, once opened, started the infection process. According to Proofpoint, WikiLoader was distributed by at least two separate criminal groups, known as TA544 and TA551, and both have targeted Italian organizations.

Here are some examples of phishing emails; in the first image a message used in the phishing campaign observed in December containing a Microsoft Excel attachment which presents itself as coming from the Italian Revenue Agency. The user is required to click the view button to see the content, which actually starts the infection process.

In the second image, relating to the February 2023 campaign, the attackers impersonated an Italian courier.

Sadly, the attacks continue over time, and on their own a new campaign was observed in July by the TA544 group which has used accounting-themed emails to distribute messages with PDF attachments and links which when opened or clicked would download a compressed JavaScript file capable of downloading and running WikiLoader.

The recent campaign’s discovery refutes researchers’ assumptions that the malware is developing rapidly and that the authors are continually improving it.

However, it should be emphasized that user interaction is required to start the infection process. For this reason organizations should ensure that macros are disabled by default for all employees, and it is recommended that external files embedded within OneNote documents be blocked from running. It is also recommended that JavaScript files be opened in Notepad or a similar application to avoid executing the content before it has been inspected.

