Palo Alto warns that threat actors are spoofing GlobalProtect VPN software and delivering malicious payloads to individuals who trust Google Search’s first results. This is a shift from traditional phishing assaults.
In June 2024, security researchers from Palo Alto Networks’ Unit 42 discovered a new malicious campaign.
Threat actors used the GlobalProtect VPN brand to place ads on Google Search that led to a malicious website and appeared at the top of other search results.
For GlobalProtect, the landing pages posed as legitimate Palo Alto websites and deceived users into downloading WikiLoader, a disguised malware loader.
WikiLoader can download extra payloads, take data, and furnish assailants with remote access. This loader-for-lease has been dynamic since late 2022, and it’s been refreshed with “some unique tricks.” Researchers believe that initial access brokers – threat actors specializing in gaining access to computer systems – are shifting from phishing to delivery through SEO (search engine optimization) poisoning.
SEO poisoning means that attacker-controlled sites appear on the front page of search results instead of legitimate products. By purchasing advertisements or increasing page rank, hackers attempt this.
Some organizations in the US’s higher education and transportation sectors have already been affected by WikiLoader, according to Palo Alto researchers, who are warning that SEO poisoning broadens the scope of potential victims.
“While SEO poisoning is not a new technique, it continues to be an effective way to deliver a loader to an endpoint. Spoofing trusted security software is likely to assist in bypassing endpoint controls at organizations that rely on filename-based allow listing,” the Unit 42 report said.
Proofpoint recently detailed that attackers used WikiLoader to convey banking trojans like Danabot or Ursnif/Gozi to associations in Italy.
Attackers used many tricks to avoid identification. The sample file obtained from a victim was called GlobalProtect64. However, in order to sideload the initial WikiLoader component, it was a rebranded copy of a legitimate share trading application. More than 400 hidden files were included in the zip file.
To prevent victims from wondering why GlobalProtect was not installed, the malware shows a fake error message saying that a DLL is missing once the infection is complete.
Other renamed legitimate software, for example, the Microsoft Sysinternals tool ADInsight.exe, was concealed inside the installer to sideload backdoors.
For order and control, the malware speaks with compromised WordPress sites.
Researchers stated, “WikiLoader sample will terminate if it finds processes related to virtual machine software.”
They believe that WikiLoader use throughout 2024 and beyond.
