A recent cyberattack campaign discovered in June 2024 involved the distribution of a new variant of the WikiLoader malware through SEO poisoning.

Description

This campaign utilized GlobalProtect, Palo Alto Networks’ VPN software [2] [6], as a delivery method and targeted victims in the US higher education and transportation sectors, as well as organizations in Italy [2]. The threat actors behind this campaign demonstrated awareness of evasion techniques, including the use of MQTT for C2 communications, typosquatting [3] [4], and the utilization of legitimate sites for C2 infrastructure. The infection chain involves injecting shellcode into explorer.exe for persistence and communication with C2 servers [4], as well as displaying fake error messages and renaming legitimate software for backdoor side-loading [4]. Financially motivated threat actors have been using WikiLoader [4], also known as WailingCrab [2], since at least late 2022 [4], delivering banking Trojans like Danabot and Ursnif/Gozi [4]. The campaign targeted popular search terms related to GlobalProtect [3], affecting sectors such as higher education and transportation [3]. Advanced evasion techniques were employed [3], including typosquatting [3], use of the MQTT protocol for C2 communications [3], signed binaries for delivery [3], and complex encryption and obfuscation to evade detection [3]. The shift from phishing to SEO poisoning in WikiLoader campaigns may be a response to improved phishing detection capabilities within organizations [3].

Conclusion

To mitigate the risks associated with such advanced threats [1], experts recommend enhanced detection of SEO poisoning [1], robust endpoint protection [1] [5], application whitelisting [1] [5], network segmentation [1], and threat hunting practices to identify and address potential vulnerabilities [1].

References

[1] https://cybermaterial.com/wikiloader-malware-delivered-via-vpn-app/
[2] https://www.darkreading.com/threat-intelligence/cyberattackers-spoof-palo-alto-vpns-to-spread-wikiloader-variant
[3] https://securityonline.info/wikiloader-malware-evolves-with-seo-poisoning-targets-globalprotect-users/
[4] https://unit42.paloaltonetworks.com/global-protect-vpn-spoof-distributes-wikiloader/
[5] https://thecyberwire.com/podcasts/daily-podcast/2142/transcript
[6] https://www.infosecurity-magazine.com/news/palo-alto-vpn-spoofed-wikiloader/