New WikiLoader Malware Attack Utilizes Counterfeit GlobalProtect Virtual Private Network Software by Hackers
Deceptive Palo Alto Networks’ GlobalProtect VPN software is being utilized in a fresh malware assault to spread a variant of the WikiLoader (aka WailingCrab) loader through an operation involving search engine optimization (SEO).
The wrongdoing, observed during June 2024, contrasts with historic practices where the malware was dispatched through traditional phishing emails, as outlined by Unit 42 researchers Mark Lim and Tom Marsden in a statement.
Initially documented by Proofpoint in August 2023, WikiLoader, detailed in a report, has been linked to a threat actor acknowledged as TA544, employing this malware in email assaults to introduce Danabot and Ursnif.
Previously in April, a South Korean cybersecurity firm AhnLab detailed an assault that exploited a tampered Notepad++ plugin as a distribution method, as highlighted in a report.
According to Unit 42, the suspected leasing of the loader involves at least two Initial Access Brokers (IABs), revealing that attack sequences possess strategies to dodge detection by security mechanisms.
“Malicious actors frequently resort to SEO manipulation to dupe individuals into entering a page that masquerades as a genuine search outcome to transmit malware opposed to the desired content,” as mentioned by the investigators.
“This campaign’s distribution framework exploited mirrored platforms rebranded as GlobalProtect alongside cloud-hosted Git repositories.”
If individuals search for the GlobalProtect software, they are presented with Google ads that redirect them to a phony GlobalProtect download page upon activation, thus initializing the contamination process.
The MSI installer incorporates an executable (“GlobalProtect64.exe”) that is essentially a relabeled version of a legitimate share trading program from TD Ameritrade (currently under Charles Schwab) used to embed a malicious DLL called “i4jinst.dll.”
This sets the stage for the execution of shellcode that undergoes a series of stages to finally download and launch the WikiLoader backdoor from a distant server.
To enhance the perceived legitimacy of the installer and deceive victims further, a fabricated error notice appears upon completion of the process, mentioning the absence of specific libraries from their Windows systems.
In addition to the use of disguised legitimate software versions for malware injection, the threat actors have implemented counter-analysis assessments to establish if WikiLoader is operational in a virtualized setting, terminating itself upon identifying processes associated with virtual machine utilities.
While the rationale for shifting from phishing to SEO manipulation as a spreading method remains cryptic, Unit 42 speculated the likelihood of another IAB’s involvement in the ongoing campaign or perhaps preexisting groups propagating the malware in response to public disclosure.
“The amalgamation of counterfeit, compromised, and authentic infrastructure leveraged by WikiLoader campaigns underscores the malevolent adversaries’ commitment to constructing an operationally secure and resilient loader, incorporating numerous [command-and-control] configurations,” as affirmed by the researchers.
This revelation follows shortly after Trend Micro discovered a recent campaign that similarly exploits fake GlobalProtect VPN software to infiltrate Middle Eastern users with backdoor malware.
About Author
