WailingCrab Malware Evolves to Evade Detection via MQTT

In the ever-evolving landscape of cyber threats, a new menace has emerged, capturing the attention of IBM X-Force researchers: the WailingCrab malware. Also known as WikiLoader, this multi-component malware has been evolving, especially in its command-and-control (C2) communication mechanisms, utilizing innovative methods to remain undetected.

First observed in December 2022, WailingCrab was initially deployed in email campaigns primarily targeting Italian organizations. Delivered by the initial access broker Hive0133, also linked to TA544, the malware has been instrumental in delivering the Gozi backdoor. Recent developments show its reach extending beyond Italy, often using deceptive themes like overdue delivery or shipping invoices.

WailingCrab is not just a single entity but a composite of several components: a loader, injector, downloader, and a backdoor. Each component plays a crucial role in the malware’s operation, and successful C2 communications are essential to proceed to the next stage. The malware employs various stealth and anti-analysis techniques, including code obfuscation and anti-sandbox measures.

The most striking feature of WailingCrab is its use of the MQTT protocol, a lightweight IoT messaging system. This unconventional choice for malware communication is a calculated move to avoid detection. WailingCrab utilizes a legitimate third-party broker, broker.emqx[.]io, cleverly masking the true address of the C2 server.

MQTT is not typically used by malware, making its use by WailingCrab particularly noteworthy. This protocol might not be closely monitored by security teams, especially in environments where legitimate IoT traffic uses MQTT, allowing the malware’s communications to go unnoticed.

However, the use of MQTT can be a double-edged sword. In environments without IoT-related activity, the malicious use of MQTT might be more easily detected. Yet, for environments with legitimate IoT traffic, WailingCrab’s communications could blend seamlessly, evading detection.

Recent variants of WailingCrab have shown even greater stealth. The removal of callouts to Discord, a platform increasingly scrutinized for hosting malware, indicates a strategic shift towards more covert operations.

The sophistication of WailingCrab poses significant challenges for security researchers. Initially, the malware used communal campaign topics in MQTT, allowing researchers to monitor its activity. However, the latest versions have switched to client-specific topics, significantly reducing the visibility of its operations.

WailingCrab’s evolution, particularly its use of the MQTT protocol and the shift in communication strategies, highlights the malware’s focus on stealth and evasion. This development serves as a wake-up call to the cybersecurity community, underscoring the need for advanced detection methods and heightened vigilance. As malware authors continue to innovate, so must our approaches to cybersecurity, adapting and evolving to counter these sophisticated threats.