A new malware campaign is spoofing Palo Alto Networks’ GlobalProtect VPN software to deliver a variant of WikiLoader (aka WailingCrab) using a search engine optimization (SEO) campaign.
The malware observed in June 2024 is a departure from previously observed tactics where malware was distributed via traditional phishing emails, Unit 42 researchers Mark Lim and Tom Marsden note said.
WikiLoader, documented for the first time Proofpoint in August 2023 was attributed to a threat known as TA544 with email attacks using the Danabot and Ursnif malware to deploy.
Then in April of this year, South Korean cybersecurity company AhnLab in detail an attack campaign that used a trojanized version of the Notepad++ plugin as a distribution vector.
At the same time, it is suspected that the rented loader is used by at least two Initial Access Brokers (IABs) on unit 42, saying that the attack chains are characterized by tactics that allow it to avoid detection by security tools.
“Attackers commonly use SEO poisoning as an initial access vector to trick people into visiting a page that spoofs a legitimate search result to deliver malware instead of the product they’re looking for,” the researchers said.
“This company’s delivery infrastructure used cloned websites rebranded as GlobalProtect along with cloud-based Git repositories.”
Thus, users searching for GlobalProtect software are shown a Google ad that, when clicked, redirects users to a fake GlobalProtect download page, effectively starting the infection sequence.
The MSI installer includes an executable file (“GlobalProtect64.exe”) that is actually a renamed version of a legitimate stock trading application from TD Ameritrade (now part of Charles Schwab) that is used to download a malicious DLL called “i4jinst.dll.”
This paves the way for shellcode execution that goes through a sequence of steps to finally download and run the WikiLoader backdoor from the remote server.
To further enhance the installer’s perceived legitimacy and trick victims, a fake error message is displayed at the end of the entire process, telling them that certain libraries are missing from their Windows computers.
In addition to using rebranded versions of legitimate software to sideload malware, threat actors have included anti-analysis checks that determine if WikiLoader is running in a virtualized environment and terminate itself when it detects processes related to virtual machine software.
While the reason behind the switch from phishing to SEO poisoning as a distribution mechanism is unclear, Unit 42 suggested that perhaps the campaign was the work of another IAB or that existing malware groups did so in response to public disclosure .
“The combination of fake, compromised, and legitimate infrastructure used by WikiLoader campaigns reinforces the focus of malware authors on creating a secure and reliable bootloader with multiple (command and control) configurations,” the researchers said.
The disclosure comes days after Trend Micro uncovered a new company that also uses fake GlobalProtect VPN software to infect users in the Middle East with backdoor malware.
