Cyber security news for all

More

    Hackers Use Fake GlobalProtect VPN Software in Novel WikiLoader Malware Offensive

    In an audacious twist on malevolent software distribution, a fresh cyber onslaught is masquerading as Palo Alto Networks’ GlobalProtect VPN, utilizing it as a conduit to disseminate a variant of the WikiLoader (alternatively known as WailingCrab) through a sophisticated search engine optimization (SEO) stratagem.

    This malvertising maneuver, detected in June 2024, diverges from the previously recognized modus operandi, where the malevolent payload was typically delivered via conventional phishing emails, according to Unit 42 researchers Mark Lim and Tom Marsden.

    Initially chronicled by Proofpoint in August 2023, WikiLoader is linked to a cyber adversary identified as TA544, with the malware employed in email-borne attacks to deploy notorious threats like Danabot and Ursnif.

    In a related revelation, South Korean cybersecurity firm AhnLab, in April this year, uncovered an insidious campaign that exploited a trojanized Notepad++ plugin as its vector for dissemination.

    Unit 42 further speculates that this loader-for-hire is likely employed by no fewer than two Initial Access Brokers (IABs), characterizing the attack sequences by their capacity to elude detection mechanisms employed by security systems.

    “SEO poisoning is frequently wielded by cyber adversaries as an initial access technique, duping users into visiting a spoofed page that impersonates a legitimate search result, ultimately delivering malware in lieu of the anticipated software,” the researchers elucidated.

    The operational framework of this campaign cleverly harnesses duplicated websites, rebranded as GlobalProtect, in conjunction with cloud-hosted Git repositories.

    Consequently, individuals seeking GlobalProtect software encounter Google advertisements that, upon interaction, redirect them to a counterfeit GlobalProtect download portal, initiating the infection sequence.

    The MSI installer, bearing an executable named “GlobalProtect64.exe,” is, in truth, a repurposed version of a legitimate share trading application from TD Ameritrade (now subsumed by Charles Schwab), employed to sideload a nefarious DLL designated “i4jinst.dll.”

    This sequence facilitates the execution of shellcode, meticulously engineered to download and activate the WikiLoader backdoor from a remote server.

    To bolster the installer’s facade of authenticity and further ensnare victims, a counterfeit error notification is displayed at the process’s conclusion, claiming that certain libraries are absent from the user’s Windows system.

    In addition to the tactic of using renamed legitimate software for malware sideloading, the perpetrators have integrated anti-analysis mechanisms that discern if WikiLoader is operating within a virtualized environment, terminating the process if it detects virtual machine-related processes.

    While the rationale behind the transition from phishing to SEO poisoning as a dissemination strategy remains speculative, Unit 42 posits that this could be the handiwork of a different IAB or a calculated shift by existing groups in reaction to the public exposure of their operations.

    “The confluence of spoofed, compromised, and legitimate infrastructure exploited by WikiLoader campaigns underscores the malware authors’ meticulous attention to constructing a resilient and operationally secure loader, equipped with multiple command-and-control configurations,” the researchers observed.

    This revelation follows closely on the heels of a discovery by Trend Micro, which exposed a parallel campaign leveraging counterfeit GlobalProtect VPN software to infiltrate users in the Middle East with backdoor malware.

    Recent Articles

    Related Stories