A brand new malware marketing campaign is spoofing Palo Alto Networks’ GlobalProtect VPN software program to ship a variant of the WikiLoader (aka WailingCrab) loader by way of a SEO (search engine optimization) marketing campaign.
The malvertising exercise, noticed in June 2024, is a departure from beforehand noticed techniques whereby the malware has been propagated through conventional phishing emails, Unit 42 researchers Mark Lim and Tom Marsden stated.
WikiLoader, first documented by Proofpoint in August 2023, has been attributed to a menace actor often called TA544, with the e-mail assaults leveraging the malware to deploy Danabot and Ursnif.
Then earlier this April, South Korean cybersecurity firm AhnLab detailed an assault marketing campaign that leveraged a trojanized model of a Notepad++ plugin because the distribution vector.
That stated, the loader for hire is suspected for use by not less than two preliminary entry brokers (IABs), per Unit 42, stating the assault chains are characterised by techniques that permit it to evade detection by safety instruments.
“Attackers commonly use SEO poisoning as an initial access vector to trick people into visiting a page that spoofs the legitimate search result to deliver malware rather than the searched-for product,” the researchers stated.
“This campaign’s delivery infrastructure leveraged cloned websites relabeled as GlobalProtect along with cloud-based Git repositories.”
Thus, customers who find yourself trying to find the GlobalProtect software program are displayed Google advertisements that, upon clicking, redirect customers to a faux GlobalProtect obtain web page, successfully triggering the an infection sequence.
The MSI installer contains an executable (“GlobalProtect64.exe”) that, in actuality, is a renamed model of a official share buying and selling utility from TD Ameritrade (now a part of Charles Schwab) used to sideload a malicious DLL named “i4jinst.dll.”
This paves the best way for the execution of shellcode that goes by means of a sequence of steps to in the end obtain and launch the WikiLoader backdoor from a distant server.
To additional enhance the perceived legitimacy of the installer and deceive victims, a faux error message is displayed on the finish of the entire course of, stating sure libraries are lacking from their Home windows computer systems.
Moreover utilizing renamed variations of official software program for sideloading the malware, the menace actors have integrated anti-analysis checks that decide if WikiLoader is operating in a virtualized setting and terminate itself when processes associated to digital machine software program are discovered.
Whereas the explanation for the shift from phishing to search engine optimization poisoning as a spreading mechanism is unclear, Unit 42 theorized that it is attainable the marketing campaign is the work of one other IAB or that current teams delivering the malware have finished so in response to public disclosure.
“The combination of spoofed, compromised and legitimate infrastructure leveraged by WikiLoader campaigns reinforces the malware authors attention to building an operationally secure and robust loader, with multiple [command-and-control] configurations,” the researchers stated.
The disclosure comes days after Development Micro uncovered a brand new marketing campaign that additionally leverages a faux GlobalProtect VPN software program to contaminate customers within the Center East with backdoor malware.
