A brand new malware marketing campaign is spoofing Palo Alto Networks’ GlobalProtect VPN software program to ship a variant of the WikiLoader (aka WailingCrab) loader via a SEO (website positioning) marketing campaign.
The malvertising exercise, noticed in June 2024, is a departure from beforehand noticed techniques whereby the malware has been propagated by way of conventional phishing emails, Unit 42 researchers Mark Lim and Tom Marsden mentioned.
WikiLoader, first documented by Proofpoint in August 2023, has been attributed to a risk actor often known as TA544, with the e-mail assaults leveraging the malware to deploy Danabot and Ursnif.
Then earlier this April, South Korean cybersecurity firm AhnLab detailed an assault marketing campaign that leveraged a trojanized model of a Notepad++ plugin because the distribution vector.
That mentioned, the loader for hire is suspected for use by at the very least two preliminary entry brokers (IABs), per Unit 42, stating the assault chains are characterised by techniques that enable it to evade detection by safety instruments.
“Attackers generally use website positioning poisoning as an preliminary entry vector to trick individuals into visiting a web page that spoofs the legit search outcome to ship malware slightly than the searched-for product,” the researchers mentioned.
“This marketing campaign’s supply infrastructure leveraged cloned web sites relabeled as GlobalProtect together with cloud-based Git repositories.”
Thus, customers who find yourself trying to find the GlobalProtect software program are displayed Google advertisements that, upon clicking, redirect customers to a faux GlobalProtect obtain web page, successfully triggering the an infection sequence.
The MSI installer contains an executable (“GlobalProtect64.exe”) that, in actuality, is a renamed model of a legit share buying and selling software from TD Ameritrade (now a part of Charles Schwab) used to sideload a malicious DLL named “i4jinst.dll.”
This paves the way in which for the execution of shellcode that goes by way of a sequence of steps to finally obtain and launch the WikiLoader backdoor from a distant server.
To additional enhance the perceived legitimacy of the installer and deceive victims, a faux error message is displayed on the finish of the entire course of, stating sure libraries are lacking from their Home windows computer systems.
Apart from utilizing renamed variations of legit software program for sideloading the malware, the risk actors have included anti-analysis checks that decide if WikiLoader is working in a virtualized setting and terminate itself when processes associated to digital machine software program are discovered.
Whereas the rationale for the shift from phishing to website positioning poisoning as a spreading mechanism is unclear, Unit 42 theorized that it is potential the marketing campaign is the work of one other IAB or that present teams delivering the malware have executed so in response to public disclosure.
“The mixture of spoofed, compromised and legit infrastructure leveraged by WikiLoader campaigns reinforces the malware authors consideration to constructing an operationally safe and strong loader, with a number of [command-and-control] configurations,” the researchers mentioned.
The disclosure comes days after Pattern Micro uncovered a brand new marketing campaign that additionally leverages a faux GlobalProtect VPN software program to contaminate customers within the Center East with backdoor malware.
