Skip to content

WikiLoader Ursnif banking trojan threatens organisations in Italy

  • by
  • 3 min read

Italian organisations are facing a new phishing campaign involving a sophisticated malware called WikiLoader.

The primary objective of this campaign is to install a banking trojan, a stealer, and spyware called Ursnif (also known as Gozi). Proofpoint, an enterprise security firm, discovered the malware and reported that it was initially detected in the wild on December 27, 2022.

WikiLoader has earned its name due to a unique characteristic of requesting Wikipedia and checking for the presence of the string “The Free” in the response. This malware is being utilised in campaigns involving emails containing Microsoft Excel, Microsoft OneNote, or PDF attachments to lure victims into deploying the downloader, which is then used to install Ursnif.

The threat actor responsible for WikiLoader is TA544, also known as Bamboo Spider and Zeus Panda. They have been using various mechanisms to evade detection and have likely developed this malware to rent it out to other cybercriminals groups. Another threat actor, TA551 (aka Shathak), has been observed using WikiLoader, further suggesting that it is being shared among multiple cybercrime groups.

A sample of the Excel file used in the campaign. | Souce: Proofpoint

The campaigns are evolving, with recent ones in mid-July 2023 employing accounting-themed PDF attachments with URLs leading to ZIP archive files. These ZIP files contain JavaScript files responsible for downloading and executing WikiLoader. The malware s heavily obfuscated and designed to bypass endpoint security software and avoid detection in automated analysis environments. Furthermore, it utilises a shellcode payload hosted on Discord to launch Ursnif.

According to Selena Larson, a senior threat intelligence analyst at Proofpoint, WikiLoader is continually being updated by its authors to remain undetected and avoid detection. She warns that more criminal threat actors may start using this malware, especially those conducting regular activities leading to ransomware.

A sample of the email targeting the organisations. | Source: Proofpoint

In previous campaigns, TA544 employed Microsoft Excel attachments with VBA macros, which, when enabled by recipients, downloaded and executed WikiLoader. Meanwhile, TA551 also targeted Itlay with this malware. Although hackers have shifted away from using malicious Microsoft Office macros due to Microsoft’s efforts to block their execution, TA544 continues utilising them in their attack chains.

As for Ursnif, the banking trojan targeted by WikiLoader, it has been a well-known threat since its source code leaked online in 2015. The leaked code enabled attackers to create more customised and harder-to-detect trojan versions. Ursnif is notorious for stealing passwords and credentials, focusing primarily on the banking and financial sectors.

To protect against this evolving threat, Proofpoint researchers recommend disabling macros by default or all employees and blocking the execution of embedded external files within OneNote documents. They also urge organisations to stay vigilant and take necessary steps to safeguard their systems against exploitation.

In the news: Nvidia and Hikvision under fire for Uyghur surveillance in China

Kumar Hemant

Kumar Hemant

Deputy Editor at Candid.Technology. Hemant writes at the intersection of tech and culture and has a keen interest in science, social issues and international relations. You can contact him here: