Palo Alto Networks has observed that GlobalProtect, its virtual private network (VPN) software, was leveraged to deliver a new variant of the WikiLoader loader malware.
In a report published on September 2, Unit 42, Palo Alto Networks’ threat intelligence unit, shared findings about a WikiLoader campaign leveraging GlobalProtect-themed search engine optimization (SEO) poisoning. This phishing tactic had never been associated with WikiLoader delivery before.
The campaign was detected in June 2024 by Unit 42’s Managed Threat Hunting (MTH) team, which handed its findings over to the Advanced WildFire reverse engineering team, another unit within Palo Alto Networks, to analyze the delivery, infection and evasion techniques.
Background on WikiLoader
WikiLoader is a sophisticated downloader malware that was first identified in 2022 by security firm Proofpoint, which made it public in 2023. It is also known as WailingCrab.
To spread WikiLoader, threat actors typically use traditional phishing techniques, such as compromised WordPress sites, and public MQ Telemetry Transport (MQTT) brokers as command and control (C2) servers.
WikiLoader is typically sold in underground marketplaces by an initial access broker (IAB).
According to Unit 42, the first WikiLoader campaigns primarily affected the US higher education and transportation sectors.
Proofpoint also reported attackers used the threat to deliver banking Trojans such as Danabot and Ursnif/Gozi to organizations based in Italy.
SEO Poisoning and GlobalProtect Spoofing Campaign
In June 2024, Unit 42 detected a new WikiLoader campaign using a different spreading technique: SEO poisoning.
SEO poisoning is the process of getting an attacker-controlled site on the front page of search engine results for a legitimate product through purchasing advertisements or improving page rank.
“Attackers commonly use SEO poisoning as an initial access vector to trick people into visiting a page that spoofs the legitimate search result to deliver malware rather than the searched-for product. This campaign’s delivery infrastructure leveraged cloned websites relabeled as GlobalProtect along with cloud-based Git repositories,” Unit 42 wrote in its report.
With this spreading technique, the threat researchers assessed that the new campaign “almost certainly broadens the scope of possible victims compared to phishing.”
Potential New Initial Access Broker Delivering WikiLoader
While the threat researchers admitted they do not know why threat actors used this new spreading technique, their main hypothesis is that a different IAB has begun to work with WikiLoader to operationalize its delivery through SEO poisoning in recent months.
“Alternatively, groups that are publicly tracked using WikiLoader could have shifted to SEO poisoning from phishing after an improvement in endpoint security controls or industry reporting disrupted their operations,” the report added.
The report also said that the observed combination of spoofed, compromised and legitimate infrastructure leveraged by WikiLoader campaigns reinforces the malware operators’ attention to building an operationally secure and robust loader, with multiple C2 configurations.
“The authors suspect that we will likely see continued WikiLoader use throughout 2024 and beyond,” the report concluded.