Experts have discovered a new malware campaign that uses phishing emails with a delivery and shipping theme to drop the payload on target endpoints.
In a reportResearchers at IBM The “details” would be sent as a .PDF attachment which, if activated, would download a JavaScript file for the purpose of downloading and running the WailingCrab loader hosted on Discord.
WailingCrab is a multi-faceted piece of malware, they said: “The malware itself is split into multiple components, including a loader, injector, downloader and backdoor, and successful requests to C2-controlled servers are often required to retrieve the next stage .” IBM X-Force researchers Charlotte Hammond, Ole Villadsen and Kat Metrick say in the report.
MQTT protocol for stealth
The loader will launch a separate module, which will then eventually download a backdoor. “In previous versions, this component downloaded the backdoor, which would be hosted as an attachment on the Discord CDN,” the researchers said. “However, the latest version of WailingCrab already includes the backdoor component encrypted with AES, and instead it contacts the C2 to download a decryption key to decrypt the backdoor.”
The backdoor provides persistence and contacts the C2 server via the MQTT protocol, which also allows it to receive more payloads if necessary. Additionally, newer versions are moving away from Discord and moving to a shellcode-based payload received directly from the C2 via MQTT.
“WailingCrab’s move to use the MQTT protocol represents a focused effort in stealth and detection evasion,” the experts said. “The newer variants of WailingCrab also remove calls to Discord for payload retrieval, further increasing stealth.”
Discord recently said it will switch to temporary file links by the end of the year in an effort to stop abuse of its content delivery network.
Through The HackerNews