Wednesday, November 29, 2023

Stealthy WailingCrab Malware misuses MQTT Messaging Protocol

The WailingCrab malware represents a sophisticated and evolving cyber threat, characterized by its multi-component nature and advanced communication techniques. Since mid-2023, a significant development in its operation has been the adoption of the MQTT (Message Queuing Telemetry Transport) protocol for Command and Control (C2) communications. MQTT is a lightweight messaging protocol primarily used in Internet-of-Things (IoT) applications. This protocol offers a level of stealth for the malware by utilizing a publish/subscribe architecture and a centralized broker, making it more challenging to detect and intercept its communications.

This change in communication strategy indicates a focused effort by the operators of WailingCrab to enhance stealth and avoid detection. Notably, newer variants of the malware have removed previous methods of payload retrieval, such as callouts to Discord, further increasing its ability to operate undetected.

The use of MQTT for C2 communications is a significant tactical shift, underscoring the malware's adaptability and the threat actor's sophistication in leveraging less conventional means for their malicious activities. Such developments highlight the need for ongoing vigilance and adaptation in cybersecurity defenses, especially considering the increasing complexity and stealthiness of emerging malware variants like WailingCrab

IoC

URL
  • https://vivalisme.fr/forms/forms/kiikxnmlogx/frrydjqb/vendor/9818hd218hd21.php?id=1
  • https://tournadre.dc1-mtp.fr/wp-content/plugins/kona-instagram-feed-for-gutenbargwfn/4dionaq9d0219d.php?id=1
  • https://rgjllc.pro/wp-content/themes/sydney/inc/notices/uiqbw123udibjk1d2.php?id=1
  • https://inspiration-canopee.fr/vendor/fields/assets/idnileeal/sifyhewmiyq/3jnd9021j9dj129.php?id=1
  • https://advocates4consumerprotection.com/wp-includes/js/tinymce/skins/iudjh9iwd182.php?id=1
  • https://www.p-e-c.nl/wp-content/themes/twentytwentyone/hudiiiwj1.php?id=1
  • https://epikurgroup.com/plugins/content/jw_allvideos/jw_allvideos/tmpl/Responsive/oiyqnk182.php?id=1

HOSTNAME

  • broker.emqx.io

SHA256

  • 9d80eb4be1e9139a03a6aa3f053fec14ed1880251b1f13d85d84d7d64dddd581
  • 50810e4696dd075ca23349e3e1c3a87fc7b46ab89f4b1eb093a5cfb74f84cc51

REFERENCES

  • https://securityintelligence.com/x-force/wailingcrab-malware-misues-mqtt-messaging-protocol/
  • https://cybersecuritynews.com/wailingcrab-abuse-messaging-protocol/#:~:text=WailingCrab%20Malware%20Abuse%20Messaging%20Protocol,Things%20%28IoT%29%20messaging%20protocol
  • https://thehackernews.com/2023/11/alert-new-wailingcrab-malware-loader.html#:~:text=,payloads%2C%20further%20increasing%20its%20stealthiness
  • https://otx.alienvault.com/pulse/655f0e65bf8eca4a87a2144d


TAGS

wailingcrab, mqtt, backdoor, loader, hive0133, ta544

at
Labels: , , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

En el contexto creciente de convergencia entre sistemas industriales, inteligencia artificial (IA) y digitalización, la gestión del riesgo c...