A new malware campaign is spoofing Palo Alto Networks’ GlobalProtect VPN software to deliver a variant of the WikiLoader (aka WailingCrab) loader by means of a search engine optimization (SEO) campaign.
The malvertising activity, observed in June 2024, is a departure from previously observed tactics wherein the malware has been propagated via traditional phishing emails, Unit 42 researchers Mark Lim and Tom Marsden said.
WikiLoader, first documented by Proofpoint in August 2023, has been attributed to a threat actor known as TA544, with the email attacks leveraging the malware to deploy Danabot and Ursnif.
Then earlier this April, South Korean cybersecurity company AhnLab detailed an attack campaign that leveraged a trojanized version of a Notepad++ plugin as the distribution vector.
That said, the loader for rent is suspected to be used by at least two initial access brokers (IABs), per Unit 42, stating the attack chains are characterized by tactics that allow it to evade detection by security tools.
“Attackers commonly use SEO poisoning as an initial access vector to trick people into visiting a page that spoofs the legitimate search result to deliver malware rather than the searched-for product,” the researchers said.
“This campaign’s delivery infrastructure leveraged cloned websites relabeled as GlobalProtect along with cloud-based Git repositories.”
Thus, users who end up searching for the GlobalProtect software are displayed Google ads that, upon clicking, redirect users to a fake GlobalProtect download page, effectively triggering the infection sequence.
The MSI installer includes an executable (“GlobalProtect64.exe”) that, in reality, is a renamed version of a legitimate share trading application from TD Ameritrade (now part of Charles Schwab) used to sideload a malicious DLL named “i4jinst.dll.”
This paves the way for the execution of shellcode that goes through a sequence of steps to ultimately download and launch the WikiLoader backdoor from a remote server.
To further improve the perceived legitimacy of the installer and deceive victims, a fake error message is displayed at the end of the whole process, stating certain libraries are missing from their Windows computers.
Besides using renamed versions of legitimate software for sideloading the malware, the threat actors have incorporated anti-analysis checks that determine if WikiLoader is running in a virtualized environment and terminate itself when processes related to virtual machine software are found.
While the reason for the shift from phishing to SEO poisoning as a spreading mechanism is unclear, Unit 42 theorized that it’s possible the campaign is the work of another IAB or that existing groups delivering the malware have done so in response to public disclosure.
“The combination of spoofed, compromised and legitimate infrastructure leveraged by WikiLoader campaigns reinforces the malware authors attention to building an operationally secure and robust loader, with multiple [command-and-control] configurations,” the researchers said.
The disclosure comes days after Trend Micro uncovered a new campaign that also leverages a fake GlobalProtect VPN software to infect users in the Middle East with backdoor malware.