A brand new malware marketing campaign is spoofing Palo Alto Networks’ GlobalProtect VPN software program to ship a variant of the WikiLoader (aka WailingCrab) loader by the use of a search engine marketing (website positioning) marketing campaign.
The malvertising exercise, noticed in June 2024, is a departure from beforehand noticed techniques whereby the malware has been propagated by way of conventional phishing emails, Unit 42 researchers Mark Lim and Tom Marsden mentioned.
WikiLoader, first documented by Proofpoint in August 2023, has been attributed to a risk actor referred to as TA544, with the e-mail assaults leveraging the malware to deploy Danabot and Ursnif.
Then earlier this April, South Korean cybersecurity firm AhnLab detailed an assault marketing campaign that leveraged a trojanized model of a Notepad++ plugin because the distribution vector.
That mentioned, the loader for lease is suspected for use by a minimum of two preliminary entry brokers (IABs), per Unit 42, stating the assault chains are characterised by techniques that permit it to evade detection by safety instruments.
“Attackers generally use website positioning poisoning as an preliminary entry vector to trick individuals into visiting a web page that spoofs the respectable search outcome to ship malware slightly than the searched-for product,” the researchers mentioned.
“This marketing campaign’s supply infrastructure leveraged cloned web sites relabeled as GlobalProtect together with cloud-based Git repositories.”
Thus, customers who find yourself trying to find the GlobalProtect software program are displayed Google adverts that, upon clicking, redirect customers to a pretend GlobalProtect obtain web page, successfully triggering the an infection sequence.
The MSI installer consists of an executable (“GlobalProtect64.exe”) that, in actuality, is a renamed model of a respectable share buying and selling software from TD Ameritrade (now a part of Charles Schwab) used to sideload a malicious DLL named “i4jinst.dll.”
This paves the way in which for the execution of shellcode that goes by means of a sequence of steps to in the end obtain and launch the WikiLoader backdoor from a distant server.
To additional enhance the perceived legitimacy of the installer and deceive victims, a pretend error message is displayed on the finish of the entire course of, stating sure libraries are lacking from their Home windows computer systems.
Apart from utilizing renamed variations of respectable software program for sideloading the malware, the risk actors have included anti-analysis checks that decide if WikiLoader is working in a virtualized setting and terminate itself when processes associated to digital machine software program are discovered.
Whereas the rationale for the shift from phishing to website positioning poisoning as a spreading mechanism is unclear, Unit 42 theorized that it is attainable the marketing campaign is the work of one other IAB or that present teams delivering the malware have finished so in response to public disclosure.
“The mix of spoofed, compromised and legit infrastructure leveraged by WikiLoader campaigns reinforces the malware authors consideration to constructing an operationally safe and sturdy loader, with a number of [command-and-control] configurations,” the researchers mentioned.
The disclosure comes days after Pattern Micro uncovered a brand new marketing campaign that additionally leverages a pretend GlobalProtect VPN software program to contaminate customers within the Center East with backdoor malware.