Unleashing WikiLoader Malware Through Weaponized Excel, OneNote, and PDF Attachments

Image Credit by Pixabay

VTA-004453 – Unleashing WikiLoader Malware Through Weaponized Excel, OneNote, and PDF Attachments

The emergence of WikiLoader, a sophisticated malware, has posed a significant threat to Italian organizations. This malware is designed to install a second payload and employs evasion techniques to complicate detection and analysis. It is delivered through various methods commonly used by threat actors, including macro-enabled documents, PDFs with JavaScript payloads, and OneNote attachments with embedded executables.

Proofpoint researchers have identified multiple versions of WikiLoader, indicating ongoing development and continuous improvement of its detection evasion techniques. While the current payload delivered by WikiLoader is Ursnif, a banking Trojan, the evolving nature of the malware suggests it could potentially be used to deliver other types of malware. The malware utilizes obfuscation and custom code implementation, making it challenging to analyze using traditional methods. The authors of WikiLoader are constantly refining its evasion techniques, further complicating analysis and detection.

The targeting of Italian organizations by WikiLoader carries significant risks. Infections can result in severe system compromise, data loss, privacy breaches, financial losses, and even identity theft. As cyber threats continue to evolve, organizations and individuals must remain vigilant and take proactive measures to protect against sophisticated malware like WikiLoader. Disabling macros and keeping security software up to date are crucial steps in mitigating this threat.


Attack Surfaces:
Email, Endpoint, Office 365, Web Application

Credential Access, Execution, Initial Access, Lateral Movement, Reconnaissance

T1056 – Input Capture
T1113 – Screen Capture
T1189 – Drive-by Compromise
T1071 – Application Layer Protocol
T1105 – Ingress Tool Transfer
T1204 – User Execution
T1110 – Brute Force
T1027 – Obfuscated Files or Information
T1140 – Deobfuscate/Decode Files or Information
T1566 – Phishing
T1104 – Multi-Stage Channels

Indicator of Compromise:


SuperPRO’s Threat Countermeasures Procedures: 
1. Ensure that your security software is up to date and configured to detect and block malware threats.
2. Disable macros in Microsoft Office applications to prevent the execution of malicious code embedded in documents.
3. Be cautious of email attachments, especially those from unknown senders or those that request you to enable macros or download additional files.
4. Educate employees on how to identify and report suspicious emails and attachments.
5. Encourage your employees to report any suspicious activities or potential security incidents.
6. Implement multi-factor authentication to prevent unauthorized access to sensitive data and systems.
7. Regularly backup data to prevent data loss in case of a malware attack.
8. If you suspect being infected with the WikiLoader malware, disconnect the infected device from the network to prevent further spread of the malware.
9. Assess the potential impact of the infection by identifying compromised accounts or sensitive data.
10. Run a full system scan using reputable antivirus or anti-malware software to detect and remove the malware.
11. Change passwords for all potentially compromised accounts and administrator account.
12. Conduct a thorough investigation to determine how the malware entered your system.

Contributed by:  Varrumen