Hackers Exploit Fake GlobalProtect VPN Software in New WikiLoader Malware Attack

A new malware campaign is spoofing Palo Alto Networks' GlobalProtect VPN software to deliver the WikiLoader malware. This attack, which surfaced in June 2024, marks a significant shift in the tactics employed by cybercriminals, moving from traditional phishing emails to leveraging search engine optimization (SEO) poisoning to distribute the malware.

The Evolving Threat Landscape

The campaign, uncovered by Unit 42 researchers Mark Lim and Tom Marsden, is part of a broader trend where hackers are increasingly using sophisticated methods to evade detection and infect systems. WikiLoader, also known as WailingCrab, was first documented by Proofpoint in August 2023. It has since been attributed to the threat actor TA544, who has used it to deploy other notorious malware strains such as Danabot and Ursnif.

Historically, WikiLoader has been distributed via phishing emails. However, in this latest campaign, attackers have adopted SEO poisoning as the primary attack vector. By manipulating search engine results, they direct unsuspecting users to malicious websites that spoof legitimate software downloads—in this case, the GlobalProtect VPN software.

The Mechanics of the Attack

The attack begins when users search for GlobalProtect software and are presented with Google ads that appear legitimate. Clicking on these ads redirects users to a fake download page designed to mimic the real GlobalProtect site. Here, the users unknowingly download a malicious installer.

The MSI installer, disguised as "GlobalProtect64.exe," is a cleverly renamed version of a legitimate share trading application from TD Ameritrade (now part of Charles Schwab). This legitimate software is exploited to sideload a malicious DLL named "i4jinst.dll," which then executes shellcode designed to download and launch the WikiLoader backdoor from a remote server.

To further deceive victims, the installer displays a fake error message, claiming that certain libraries are missing from their Windows computers. This tactic adds a layer of legitimacy to the attack, making it less likely that users will suspect foul play.

Advanced Evasion Techniques

The threat actors behind this campaign have gone to great lengths to ensure that their malware can evade detection by security tools. In addition to using renamed legitimate software for sideloading, they have incorporated anti-analysis checks. These checks determine if WikiLoader is running in a virtualized environment—a common method used by cybersecurity professionals to analyze malware. If such an environment is detected, the malware will terminate itself, making it difficult to study and mitigate.

The Implications for Businesses and Users

The shift from phishing to SEO poisoning in the distribution of WikiLoader represents a significant evolution in the tactics used by cybercriminals. While the exact reason for this shift is unclear, Unit 42 researchers speculate that it may be the work of a different initial access broker (IAB) or a response to increased public awareness of phishing attacks.

This campaign's use of spoofed, compromised, and legitimate infrastructure highlights the increasing sophistication of malware authors. By building a robust and operationally secure loader with multiple command-and-control (C2) configurations, they have made it more difficult for security teams to detect and stop these attacks.

Staying Protected: Best Practices

To protect against such advanced threats, both businesses and individual users must remain vigilant and adopt comprehensive cybersecurity measures:

1. Avoid Clicking on Ads: Be cautious when clicking on ads in search engine results, especially when looking for software downloads. Always download software from the official website or trusted sources.
2. Regular Software Audits: Ensure that all software and applications on your network are legitimate and up-to-date. Regular audits can help identify and remove potentially compromised software.
3. Implement Advanced Threat Detection: Use advanced threat detection tools that can identify and block malware even when it employs sophisticated evasion techniques.

The recent WikiLoader malware attack is a stark reminder of the constantly evolving threat landscape. As cybercriminals continue to develop new tactics to bypass security measures, it is crucial for organizations to stay ahead by implementing robust cybersecurity strategies. At Net Protector Cyber Security, we are committed to providing cutting-edge solutions to protect against the ever-growing array of digital threats. Stay vigilant, stay protected.