A recent malware campaign discovered by researchers at Palo Alto Networks’ Unit 42 involves cybercriminals impersonating sellers of Palo Alto Networks GlobalProtect VPN software to distribute a new variant of the WikiLoader downloader malware through SEO poisoning.

Description

This malvertising activity [2], observed in June 2024 [2], marks a shift from previous tactics of phishing emails [2]. Threat actors have created fake GlobalProtect VPN download pages on cloned legitimate websites to deceive users into downloading malware onto their systems [3]. The malware, attributed to threat actor TA544 [2], has been linked to the deployment of Danabot and Ursnif. The attack chains are designed to evade security tools [2], with SEO poisoning used to trick users into downloading the malware disguised as legitimate software [2]. The malware operates in the background, collecting data and potentially installing additional malicious software [3]. It includes anti-analysis checks to avoid detection in virtualized environments [2]. The threat actors have gone to great lengths to make their infrastructure and malware appear legitimate [3], even using a legitimate Palo Alto Networks software code signing certificate to sign the malware [3]. This change to using SEO poisoning as a spreading mechanism may be a response to public disclosure or the actions of a new initial access broker group that sells access to compromised networks, expanding the potential victim pool compared to phishing attacks [3]. The campaign targets users in the Middle East with backdoor malware, bypassing endpoint controls and effectively delivering malware to victims in the US higher education and transportation sectors, as well as organizations in Italy [1].

Conclusion

This malware campaign highlights the evolving tactics of cybercriminals and the need for enhanced cybersecurity measures. Organizations should be vigilant and implement robust security protocols to protect against such threats. The use of SEO poisoning as a distribution method underscores the importance of staying informed about emerging threats and adapting security strategies accordingly.

References

[1] https://www.darkreading.com/threat-intelligence/cyberattackers-spoof-palo-alto-vpns-to-spread-wikiloader-variant
[2] https://thehackernews.com/2024/09/hackers-use-fake-globalprotect-vpn.html
[3] https://vpncentral.com/hackers-use-fake-vpn-software-to-spread-wikiloader-malware/