That delivery email could be malware - here's what you need to know

WailingCrab is a multi-faceted piece of malware, they said: "The malware itself is split into multiple components, including a loader, injector, downloader and backdoor, and successful requests to C2-controlled servers are often necessary to retrieve the next stage," IBM X-Force researchers Charlotte Hammond, Ole Villadsen, and Kat Metrick said in the report.

MQTT protocol for stealth

The loader will launch a separate module, which would then ultimately download a backdoor. "In prior versions, this component would download the backdoor, which would be hosted as an attachment on the Discord CDN," the researchers said. "However, the latest version of WailingCrab already contains the backdoor component encrypted with AES, and it instead reaches out to its C2 to download a decryption key to decrypt the backdoor."

The backdoor establishes persistence and contacts the C2 server via MQTT protocol, which also allows it to receive more payloads if need be. Furthermore, newer versions are moving away from Discord and into a shellcode-based payload received directly from the C2 via MQTT. 

"The move to using the MQTT protocol by WailingCrab represents a focused effort on stealth and detection evasion," the experts said. "The newer variants of WailingCrab also remove the callouts to Discord for retrieving payloads, further increasing its stealthiness."

Discord recently said it will move to temporary file links by the end of the year, in an attempt to stop the abuse of its content delivery network.

Via TheHackerNews

More from TechRadar Pro

• Discord is switching to temporary links to stop malware
• Here's a list of the best firewalls around today
• These are the best identity theft protection tools right now