Wali

Wali is a trojan loader first reported in early 2017. The trojan's file size is over 100MB, much larger than most malware files. It is the trojan loader component that activates a backdoor - named "Wali" by the malware author. The backdoor module is injected into the memory of the iexplorer.exe process. It is so large in size because it has a large overlay of junk data. The overlay is created by the dropper when the loader is installed on the victim's machine. The junk data inflates the size of the malware executable in an effort to complicate sample exchanges, stay below the radar of commonly-used YARA rules, and evade antivirus programs. It uses a "create_garbage_data" function to generate a random byte in a loop with 1,000 iterations, producing roughly 100MB of junk data to be appended to the executable.

Reporting

  • May 2017: Cybereason researchers discovered "ShadowWali," likely an earlier version of the Wali trojan. (Cybereason)

Technical Details

  • BleepingComputer provides technical details on the Wali trojan, available here.