That delivery email could be malware - here's what you need to know

Image credit: Shutterstock (Image credit: Shutterstock)

Experts have spotted a new malware campaign that uses delivery and shipping-themed phishing emails to drop the payload on target endpoints.

In a report, IBM X-Force researchers said that hackers known as TA544 (AKA Bamboo Spider, Zeus Panda) were sending out phishing emails claiming to have come from delivery service providers and who were discussing pending payments. The “details” would be sent as a .PDF attachment which, when activated, would download a JavaScript file whose purpose was to download and run the WailingCrab loader hosted on Discord. 

WailingCrab is a multi-faceted piece of malware, they said: "The malware itself is split into multiple components, including a loader, injector, downloader and backdoor, and successful requests to C2-controlled servers are often necessary to retrieve the next stage," IBM X-Force researchers Charlotte Hammond, Ole Villadsen, and Kat Metrick said in the report.

Reader Offer: $50 Amazon gift card with demo

Reader Offer: $50 Amazon gift card with demo
Perimeter 81's Malware Protection intercepts threats at the delivery stage to prevent known malware, polymorphic attacks, zero-day exploits, and more. Let your people use the web freely without risking data and network security.

Preferred partner (What does this mean?

MQTT protocol for stealth

The loader will launch a separate module, which would then ultimately download a backdoor. "In prior versions, this component would download the backdoor, which would be hosted as an attachment on the Discord CDN," the researchers said. "However, the latest version of WailingCrab already contains the backdoor component encrypted with AES, and it instead reaches out to its C2 to download a decryption key to decrypt the backdoor."

The backdoor establishes persistence and contacts the C2 server via MQTT protocol, which also allows it to receive more payloads if need be. Furthermore, newer versions are moving away from Discord and into a shellcode-based payload received directly from the C2 via MQTT. 

"The move to using the MQTT protocol by WailingCrab represents a focused effort on stealth and detection evasion," the experts said. "The newer variants of WailingCrab also remove the callouts to Discord for retrieving payloads, further increasing its stealthiness."

Discord recently said it will move to temporary file links by the end of the year, in an attempt to stop the abuse of its content delivery network.

Via TheHackerNews

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.