This article was made possible thanks to the hard work of writer Charlotte Hammond and contributions from Ole Villadsen and Kat Metrick.

IBM X-Force researchers have been tracking developments to the WailingCrab malware family, in particular, those relating to its C2 communication mechanisms, which include misusing the Internet-of-Things (IoT) messaging protocol MQTT.

WailingCrab, also known as WikiLoader, is a sophisticated, multi-component malware delivered almost exclusively by an initial access broker that X-Force tracks as Hive0133, which overlaps with TA544. WailingCrab was first observed in December 2022, and since then it has been used extensively in email campaigns to deliver the Gozi backdoor often against Italian targets. In recent months, Hive0133 has targeted organizations beyond Italy with email campaigns delivering WailingCrab, frequently using themes such as overdue delivery or shipping invoices.

The malware authors have focused on stealth and anti-analysis techniques in the continued development of the WailingCrab malware. The malware itself is split into multiple components, including a loader, injector, downloader and backdoor, and successful requests to C2-controlled servers are often necessary to retrieve the next stage. Legitimate, hacked websites are used for initial C2 communications to lower the chance of network detection, and payloads are often hosted on well-known platforms such as Discord. C2 servers are often taken down quickly or stop responding soon after a campaign which may prevent threat researchers from accessing them and retrieving the next stages of the malware. Additionally, WailingCrab makes use of code obfuscation, anti-analysis, and anti-sandbox techniques throughout its code.

WailingCrab’s core component is its backdoor, which is installed on the system only if the malware’s initial stages are completed successfully. Since mid-2023, WailingCrab’s backdoor component has communicated with the C2 using the MQTT protocol which is a lightweight IoT messaging protocol. MQTT uses a publish/subscribe architecture, whereby messages are published to ‘topics’ and received by subscribers, with message distribution handled by a centralized broker. In this instance, WailingCrab uses the legitimate, third-party broker, broker.emqx[.]io, which allows it to hide the true address of the C2 server.

WailingCrab’s use of the MQTT is notable, as this protocol is not commonly used by malware. There have only been a handful of instances reported, with the most recent being the MQsTTang backdoor attributed to the threat actor Mustang Panda. As a result of this, the protocol’s use may not be monitored as closely by security teams, allowing the backdoor’s C2 communications to fly under the radar.

This blog provides an overview of WailingCrab and its C2 communications, with a focus on its use of the MQTT protocol.