网络安全警示：WailingCrab病毒利用邮件渠道扩散

Delivery- and shipping-themed email messages are being used to deliver a sophisticated malware loader known as WailingCrab.

通过以货运为主题的电子邮件传播，交付和船运主题的电子邮件消息被用来传递一个复杂的恶意软件加载器，被称为WailingCrab。

"The malware itself is split into multiple components, including a loader, injector, downloader and backdoor, and successful requests to C2-controlled servers are often necessary to retrieve the next stage," IBM X-Force researchers Charlotte Hammond, Ole Villadsen, and Kat Metrick said.

“恶意软件本身分为多个组件，包括加载器、注入器、下载器和后门，成功请求到由C2控制的服务器通常是检索下一阶段所必需的，”IBM X-Force的研究人员Charlotte Hammond、Ole Villadsen和Kat Metrick说。

WailingCrab, also called WikiLoader, was first documented by Proofpoint in August 2023, detailing campaigns targeting Italian organizations that used the malware to ultimately deploy the Ursnif (aka Gozi) trojan. It was spotted in the wild in late December 2022.

WailingCrab，又称WikiLoader，由Proofpoint于2023年8月首次记录，详细说明了针对意大利组织的攻击活动，使用该恶意软件最终部署Ursnif（又名Gozi）木马。它于2022年底在野外被发现。

The malware is the handiwork of a threat actor known as TA544, which is also tracked as Bamboo Spider and Zeus Panda. IBM X-Force has named the cluster Hive0133.

该恶意软件是威胁演员TA544（别名Bamboo Spider和Zeus Panda）的杰作。IBM X-Force已经将其命名为集群Hive0133。

Actively maintained by its operators, the malware has been observed incorporating features that prioritize stealth and allows it to resist analysis efforts. To further lower the chances of detection, legitimate, hacked websites are used for initial command-and-control (C2) communications.

由其运营者积极维护，该恶意软件已被观察到整合了优先考虑隐秘性并允许抵抗分析努力的功能。为了进一步降低检测几率，合法的、被黑客攻陷的网站被用于初始的命令和控制（C2）通信。

What's more, components of the malware are stored on well-known platforms such as Discord. Another noteworthy change to the malware since mid-2023 is the use of MQTT, a lightweight messaging protocol for small sensors and mobile devices, for C2.

此外，该恶意软件的组件存储在诸如Discord之类的知名平台上。自2023年中期以来，该恶意软件的另一个值得注意的变化是使用轻量级消息传递协议MQTT进行C2。

The protocol is something of a rarity in the threat landscape, with it put to use only in a few instances, as observed in the case of Tizi and MQsTTang in the past.

该协议在威胁景观中相对罕见，在过去的一些实例中，例如Tizi和MQsTTang，只有在少数情况下被使用。

The attack chains commence with emails bearing PDF attachments containing URLs that, when clicked, download a JavaScript file designed to retrieve and launch the WailingCrab loader hosted on Discord.

攻击链始于携带PDF附件的电子邮件，其中包含点击后下载JavaScript文件的URL，该文件旨在检索并启动托管在Discord上的WailingCrab加载器。

The loader is responsible for launching the next-stage shellcode, an injector module that, in turn, kick-starts the execution of a downloader to deploy the backdoor ultimately.

加载器负责启动下一阶段的Shellcode，即注入器模块，进而启动下载器以最终部署后门。

"In prior versions, this component would download the backdoor, which would be hosted as an attachment on the Discord CDN," the researchers said.

“在之前的版本中，此组件会下载后门，后门将作为Discord CDN上的附件进行托管，”研究人员说。

"However, the latest version of WailingCrab already contains the backdoor component encrypted with AES, and it instead reaches out to its C2 to download a decryption key to decrypt the backdoor."

“然而，最新版本的WailingCrab已经包含了使用AES加密的后门组件，而是联系到其C2下载解密密钥以解密后门。”

The backdoor, which acts as the malware's core, is designed to establish persistence on the infected host and contact the C2 server using the MQTT protocol to receive additional payloads.

作为恶意软件核心的后门旨在在感染的主机上建立持久性，并使用MQTT协议联系C2服务器以接收附加载荷。

On top of that, newer variants of the backdoor eschew a Discord-based download path in favor of a shellcode-based payload directly from the C2 via MQTT.

此外，后门的新变体摒弃了基于Discord的下载路径，而是采用基于Shellcode的负载，直接通过MQTT从C2获取。

"The move to using the MQTT protocol by WailingCrab represents a focused effort on stealth and detection evasion," the researchers concluded. "The newer variants of WailingCrab also remove the callouts to Discord for retrieving payloads, further increasing its stealthiness."

研究人员总结说：“WailingCrab采用MQTT协议的举措代表了对隐秘性和检测回避的专注努力。新版本的WailingCrab还删除了从Discord检索载荷的呼叫，进一步提高了其隐蔽性。”

"Discord has become an increasingly common choice for threat actors looking to host malware, and as such it is likely that file downloads from the domain will start coming under higher levels of scrutiny. Therefore, it is not surprising that the developers of WailingCrab decided on an alternative approach."

“Discord已成为威胁演员寻求托管恶意软件的日益普遍的选择，因此很可能从该域下载文件将受到更高级别的审查。因此，不足为奇的是WailingCrab的开发人员决定采取另一种方法。”

The abuse of Discord's content delivery network (CDN) for distributing malware hasn't gone unnoticed by the social media company, which told Bleeping Computer earlier this month that it will switch to temporary file links by the end of the year.

社交媒体公司注意到了通过Discord的内容传送网络（CDN）分发恶意软件的滥用，本月早些时候告诉Bleeping Computer，它将在年底之前切换到临时文件链接以阻止恶意软件传递。

原文始发于微信公众号（知机安全）：网络安全警示：WailingCrab病毒利用邮件渠道扩散