The threat actors behind a sophisticated malware that was discovered less than a year ago have recently expanded their targeting and updated the malware's C2 communication tactics in an attempt to make it more difficult for security teams to detect their attacks.
The malware, tracked by researchers as WailingCrab, was first discovered in December 2022, and has been used in email campaigns to deliver the Gozi backdoor against targets in Italy. However, researchers with IBM’s X-Force team this week said that more recently, they have observed thousands of spam emails delivering WailingCrab being sent to targets across the globe, including ones in North and South America, Europe and Asia.
In another major change, since mid-2023 the malware’s backdoor component started communicating with its C2 via the MQTT lightweight IoT messaging protocol. As part of this protocol, messages are published through “topics” and received by "subscribers." Here, distribution is handled by a centralized broker, and the malware uses a legitimate third-party broker so that it can hide the address of its C2 server.
The use of MQTT here is notable because it has previously only been used in a few malware campaigns, such as one involving a backdoor called MQsTTang and used by a China-linked threat actor, said researchers. On the other hand, threat actors using this IoT protocol in environments that should not have IoT-related activity may actually make malicious activity easier to detect in some cases, they said.
Regardless, “the move to using the MQTT protocol by WailingCrab represents a focused effort on stealth and detection evasion,” said Charlotte Hammond, Ole Villadsen and Kat Metrick, with IBM’s X-Force team in a Tuesday post. “The MQTT protocol is currently not commonly used by malware. It therefore is unlikely to come under much scrutiny by existing security solutions, especially in environments that use MQTT for legitimate IoT traffic.”
"In the new version the developers have switched to communicating via client-specific topics only, and unfortunately removing this wider visibility of the malware’s activity.”
The malware was historically distributed via emails that purport to be about overdue delivery or shipping invoices and that leverage either Microsoft Excel, OneNote or PDF attachments; but more recently, researchers said that the malware campaigns have more heavily relied on PDF attachments with malicious URLs that, once clicked, will lead to the execution of the WailingCrab’s loader. The malware’s backdoor is responsible for installing persistence and communicating with the C2.
The malware has been tweaked as recently as September, and researchers observed newer versions of WailingCrab leveraging an updated method to communicate with the C2 via MQTT. While older versions sent messages to a single centralized MQTT “topic,” this centralized topic has now been removed, and newer versions communicate only through client-specific topics, cutting back on visibility of the malware’s activities.
“In the initial version, the use of the communal campaign topic made it relatively straightforward to observe the malware’s activity,” said researchers. “The fact that WailingCrab uses a public broker means that anyone could subscribe to the campaign topic and monitor the messages being sent to it. In the new version the developers have switched to communicating via client-specific topics only, and unfortunately removing this wider visibility of the malware’s activity.”
These updates reflect that the threat actor behind the malware, Hive0133, is aggressively expanding its campaign scope and actively developing the malware to evade evasion from defense teams. Security teams, for their part, should be familiar with Hive0133’s TTPs and the malware’s IoCs, as well as those for the follow-on Gozi backdoor payload, said Kat Metrick, senior threat analyst with IBM X-Force.
Metrick also recommended that organizations educate users on characteristics of the phishing tactics associated with this attack, and consider blocking or monitoring the use of the MQTT protocol, especially in environments that don't have IoT-related activity.
“As Hive0133 is assessed to be an initial access broker and may expand the variety of secondary payloads that it delivers in the future, monitor for emerging threat intelligence linking WailingCrab to new post-compromise activity,” said Metrick.