Introduction
A new and sophisticated malware campaign has been detected, spoofing Palo Alto Networks' GlobalProtect VPN software to distribute the WikiLoader malware. This campaign, which was observed in June 2024, marks a departure from previously used methods, favoring search engine optimization (SEO) poisoning over traditional phishing emails. Researchers from Unit 42, Mark Lim and Tom Marsden, have identified this shift as part of a growing trend among cybercriminals to exploit more covert techniques for malware distribution.
Evolution of WikiLoader
WikiLoader, also known as WailingCrab, first gained attention in August 2023 when Proofpoint attributed it to the cybercrime group TA544. Initially, the malware was spread through email phishing campaigns, often to deliver banking trojans such as Danabot and Ursnif. In April 2024, South Korean cybersecurity firm AhnLab reported a new distribution method involving a trojanized Notepad++ plugin, showcasing the evolving nature of WikiLoader's delivery tactics.
WikiLoader is a malware loader-for-hire and has been used by at least two initial access brokers (IABs) to facilitate further cyberattacks. Its primary strength lies in its ability to evade detection, employing tactics that bypass traditional security measures.
SEO Poisoning as the New Attack Vector
In this latest campaign, attackers have shifted from email-based phishing to SEO poisoning as the primary method of malware delivery. SEO poisoning manipulates search engine results to deceive users into visiting malicious websites. In this case, users searching for GlobalProtect VPN are shown fraudulent Google ads, which redirect them to a fake download page. The campaign uses cloned websites, cloud-based Git repositories, and legitimate-looking infrastructure to bolster its credibility.
Once the user clicks on the malicious ad and downloads the installer, they are infected by an altered version of legitimate software. Specifically, the fake installer includes an executable file named "GlobalProtect64.exe," which is actually a modified version of a stock trading application from TD Ameritrade. This file sideloads a malicious DLL called "i4jinst.dll," allowing the malware to execute shellcode that downloads and launches WikiLoader from a remote server.
Obfuscation and Anti-Analysis Techniques
To further obscure the malicious activity, the campaign employs several anti-detection measures. After completing the infection process, a fake error message is displayed to the user, claiming that certain libraries are missing from their system. This is meant to reassure victims that the installation failed due to a harmless technical issue.
Additionally, WikiLoader is designed with anti-analysis features that detect virtualized environments. If the malware detects that it is being run in a virtual machine, commonly used for malware analysis, it will terminate itself to avoid detection. This sophisticated obfuscation ensures that the malware remains hidden and operational for as long as possible.
Potential Reasons for the Shift in Tactics
The decision to shift from phishing to SEO poisoning as the primary infection method remains unclear. Unit 42 speculates that this change may be due to increased awareness of phishing tactics or the involvement of a different threat actor. It’s also possible that the cybercriminals behind WikiLoader adapted their approach in response to public disclosures about their previous methods.
Conclusion
The latest campaign targeting GlobalProtect VPN users underscores the increasing complexity of malware distribution techniques. By combining fake ads, cloned websites, and renamed legitimate software, the attackers have created a highly deceptive infection chain. The growing use of SEO poisoning over phishing emails suggests a shift in the cyber threat landscape, with criminals focusing on more sophisticated and less detectable methods to reach their victims. As malware like WikiLoader continues to evolve, organizations and users must remain vigilant and adopt stronger security measures to mitigate these emerging threats.
0 Comments