Palo Alto Networks has observed that GlobalProtect, its virtual private network (VPN) software, was leveraged to deliver a new variant of the WikiLoader loader malware.
In a report published on September 2, Unit 42, Palo Alto Networks’ threat intelligence unit, shared findings about a WikiLoader campaign leveraging GlobalProtect-themed search engine optimization (SEO) poisoning. This phishing tactic had never been associated with WikiLoader delivery before.
The campaign was detected in June 2024 by Unit 42’s Managed Threat Hunting (MTH) team, which handed its findings over to the Advanced WildFire reverse engineering team, another unit within Palo Alto Networks, to analyze the delivery, infection and evasion techniques.
Background on WikiLoader
WikiLoader is a sophisticated downloader malware that was first identified in 2022 by security firm Proofpoint, which made it public in 2023. It is also known as WailingCrab.
To spread WikiLoader, threat actors typically use traditional phishing techniques, such as compromised WordPress sites, and public MQ Telemetry Transport (MQTT) brokers as command and control (C2) servers.
WikiLoader is typically sold in underground marketplaces by an initial access broker (IAB).
According to Unit 42, the first WikiLoader campaigns primarily affected the US higher education and transportation sectors.
Proofpoint also reported attackers used the threat to deliver banking Trojans such as Danabot and Ursnif/Gozi to organizations based in Italy.
SEO Poisoning and GlobalProtect Spoofing Campaign
In June 2024, Unit 42 detected a new WikiLoader campaign using a different spreading technique: SEO poisoning.
SEO poisoning is the process of getting an attacker-controlled site on the front page of search engine results for a legitimate product through purchasing advertisements or improving page rank.
No tags.
