WailingCrab malware Abuse messaging protocol for C2 Communications

Researchers noticed developments in the sophisticated, multi-component malware dubbed WailingCrab, especially those pertaining to its C2 communication techniques, which included abusing the MQTT Internet-of-Things (IoT) messaging protocol.

The WailingCrab malware, commonly called WikiLoader, is mostly distributed via an initial access broker, Hive0133.

EHA

It was initially discovered in December 2022 and has since been widely utilized in email campaigns, mostly directed at Italian targets, to install the Gozi backdoor. These efforts have used Microsoft Excel, Microsoft OneNote, or PDF attachments. 

Hive0133 targets organizations with email campaigns delivering WailingCrab, typically exploiting themes like overdue delivery or shipping invoices. Additionally, it has been favoring the usage of PDF attachments with malicious URLs in its email campaigns in recent months.

Document
Free Webinar

Live API Attack Simulation Webinar

In the upcoming webinar, Karthik Krishnamoorthy, CTO and Vivek Gopalan, VP of Products at Indusface demonstrate how APIs could be hacked. The session will cover: an exploit of OWASP API Top 10 vulnerability, a brute force account take-over (ATO) attack on API, a DDoS attack on an API, how a WAAP could bolster security over an API gateway

Abusing Messaging Protocol for C2 Communications

According to IBM X-Force researchers, the main component of WailingCrab is its backdoor, which is only installed on the system in the event that the malware’s initial phases are successfully completed. 

WailingCrab’s backdoor component has been in contact with the C2 since the middle of 2023 via the lightweight IoT message protocol MQTT.

MQTT employs a publish/subscribe architecture in which a centralized broker distributes messages, which are then published to “topics” and received by subscribers. In this case, WailingCrab conceals the real address of the C2 server by using broker.emqx[.]io, a reputable third-party broker.

WailingCrab’s move to the MQTT protocol is a focused attempt to avoid detection and operate stealthily. Malware does not now frequently use the MQTT protocol.

On the other hand, as MQTT is mainly used for Internet of Things traffic, this can potentially make malicious usage of it simpler to identify in systems or environments in which there shouldn’t be any IoT activity.

To make WailingCrab even stealthier, the most recent versions do away with the calls to Discord for payload retrieval. Threat actors seeking to host malware are increasingly choosing Discord; therefore, it’s possible that file downloads from the domain will start to be scrutinized more closely. It follows that the WailingCrab developers’ choice of a different strategy is not shocking.

Only a few cases have been documented, the most recent being the MQsTTang backdoor linked to threat actor Mustang Panda. Consequently, security teams might not keep a close eye on the protocol’s usage, which would let the backdoor’s C2 communications go unnoticed.

Recommendation

  • Make sure all related files and anti-virus software are updated.
  • Search for existing evidence of the indicated IOCs in your environment Consider blocking and or setting up detection for all URL and IP-based IOCs
  • Consider preventing or keeping an eye on MQTT protocol use, particularly in systems or environments where IoT-related activity shouldn’t be occurring.
  • Maintain operating systems and apps at the most recent patch release level.
  • Use caution while clicking on links and attachments in emails.

Experience how StorageGuard eliminates the security blind spots in your storage systems by trying a 14-day free trial.

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.