Sep 04, 2024Ravie LakshmananMalware / Network Security
A new malware campaign is using a deceptive strategy to deliver the WikiLoader malware variant by impersonating Palo Alto Networks’ GlobalProtect VPN software through an SEO campaign.
The malvertising scheme, discovered in June 2024, marks a departure from previous tactics where the malware was spread via phishing emails, according to Unit 42 researchers Mark Lim and Tom Marsden explained.
WikiLoader, linked to the TA544 threat actor, has been associated with deploying Danabot and Ursnif through email attacks.
In April, AhnLab reported an attack campaign that used a trojanized Notepad++ plugin for distribution.
Unit 42 suspects the malware loader is rented by at least two initial access brokers, with attack chains designed to evade security tools.
According to the researchers, attackers often use SEO poisoning to trick users into browsing spoofed pages disguised as legitimate search results to deliver malware instead of the intended content.
The campaign’s delivery infrastructure includes cloned websites posing as GlobalProtect and cloud-based Git repositories.
Users searching for GlobalProtect software are led to fake download pages through Google ads, starting the malware infection process.
The installer includes an executable masquerading as a legitimate trading application to load a malicious DLL and execute shellcode for launching WikiLoader.
The attackers also include anti-analysis measures to detect virtualized environments and terminate the malware accordingly.
Unit 42 speculates that the shift from phishing to SEO poisoning may be due to a new group of initial access brokers or existing groups adapting to public disclosures.
“The mix of spoofed, compromised, and legitimate infrastructure used in WikiLoader campaigns indicates a focus on building a secure and effective loader with multiple command-and-control configurations,” the researchers noted.
The findings coincide with Trend Micro’s discovery of a similar campaign using fake GlobalProtect VPN software to distribute backdoor malware in the Middle East.