That delivery email could be malware - here's what you need to know

Ransomware
Image credit: Shutterstock (Image credit: Shutterstock)

Experts have spotted a new malware campaign that uses delivery and shipping-themed phishing emails to drop the payload on target endpoints.

In a report, IBM X-Force researchers said that hackers known as TA544 (AKA Bamboo Spider, Zeus Panda) were sending out phishing emails claiming to have come from delivery service providers and who were discussing pending payments. The “details” would be sent as a .PDF attachment which, when activated, would download a JavaScript file whose purpose was to download and run the WailingCrab loader hosted on Discord. 

WailingCrab is a multi-faceted piece of malware, they said: "The malware itself is split into multiple components, including a loader, injector, downloader and backdoor, and successful requests to C2-controlled servers are often necessary to retrieve the next stage," IBM X-Force researchers Charlotte Hammond, Ole Villadsen, and Kat Metrick said in the report.


Reader Offer: $50 Amazon gift card with demo

Reader Offer: $50 Amazon gift card with demo
Perimeter 81's Malware Protection intercepts threats at the delivery stage to prevent known malware, polymorphic attacks, zero-day exploits, and more. Let your people use the web freely without risking data and network security.

Preferred partner (What does this mean?

MQTT protocol for stealth

The loader will launch a separate module, which would then ultimately download a backdoor. "In prior versions, this component would download the backdoor, which would be hosted as an attachment on the Discord CDN," the researchers said. "However, the latest version of WailingCrab already contains the backdoor component encrypted with AES, and it instead reaches out to its C2 to download a decryption key to decrypt the backdoor."

The backdoor establishes persistence and contacts the C2 server via MQTT protocol, which also allows it to receive more payloads if need be. Furthermore, newer versions are moving away from Discord and into a shellcode-based payload received directly from the C2 via MQTT. 

"The move to using the MQTT protocol by WailingCrab represents a focused effort on stealth and detection evasion," the experts said. "The newer variants of WailingCrab also remove the callouts to Discord for retrieving payloads, further increasing its stealthiness."

Discord recently said it will move to temporary file links by the end of the year, in an attempt to stop the abuse of its content delivery network.

Via TheHackerNews

More from TechRadar Pro

TOPICS

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
Close up of a business person using a smartphone.
Watch out, malicious PDF files are being used again in phishing attacks
Trojan
Hackers hide malware into website images to go unnoticed
Pirate skull cyber attack digital technology flag cyber on on computer CPU in background. Darknet and cybercrime banner cyberattack and espionage concept illustration.
Criminals are using a virtual hard disk image file to host and distribute dangerous malware
A hacker typing on a MacBook laptop with code on the screen.
This devious phishing site repurposes legitimate web elements like CAPTCHA pages for malware distribution
An iPhone sitting on a wooden table
Millions at risk as malicious PDF files designed to steal your data are flooding SMS inboxes - how to stay safe
Image depicting hands typing on a keyboard, with phishing hooks holding files, passwords and credit cards.
Microsoft warns about a new phishing campaign impersonating Booking.com
Latest in Security
A stylized depiction of a padlocked WiFi symbol sitting in the centre of an interlocking vault.
Broadcom warns of worrying security flaws affecting VMware tools
URL phishing
HaveIBeenPwned owner suffers phishing attack that stole his Mailchimp mailing list
Ransomware
Cl0p resurgence drives ransomware attacks to new highs in 2025
Google Chrome
Google Chrome security flaw could have let hackers spy on all your online habits
cybersecurity
Chinese government hackers allegedly spent years undetected in foreign phone networks
Data leak
A major Keenetic router data leak could put a million households at risk
Latest in News
A young woman is working on a laptop in a relaxed office space.
I’ll admit, Microsoft’s new Windows 11 update surprised me with its usefulness, providing accessibility fixes, a gamepad keyboard layout, and PC spec cards
inZOI promotional material.
inZOI has become the most wishlisted game on Steam, but I wouldn't get too caught up in the hype
Xbox Series X and Xbox wireless controller set to a green background
Xbox Insiders are currently testing a new Game Hub feature that looks useful, but I've got mixed feelings about it
A stylized depiction of a padlocked WiFi symbol sitting in the centre of an interlocking vault.
Broadcom warns of worrying security flaws affecting VMware tools
Nespresso Vertuo Pop machine in Candy Pink with coffee drinks and capsules
My favorite Nespresso coffee maker just got a fresh new makeover, and now I love it even more
Microsoft Surface Laptop and Surface Pro devices on a table.
Hate Windows 11’s search? Microsoft is fixing it with AI, and that almost makes me want to buy a Copilot+ PC