Hacking Poisoning GlobalProtect VPN To Deliver WikiLoader Malware On Windows>
The Hacker News – Ravie Lakshmanan
This article describes a new malware campaign involving WikiLoader (also known as WailingCrab):
1) The campaign is spoofing Palo Alto Networks’ GlobalProtect VPN software.
2) It uses search engine optimization (SEO) tactics instead of traditional phishing emails.
3) WikiLoader was first documented in August 2023 and attributed to a threat actor called TA544.
4) The malware is suspected to be used by at least two initial access brokers (IABs).
5) The attack method:
– Uses SEO poisoning to trick users into visiting fake search results
– Displays Google ads that redirect to a fake GlobalProtect download page
– Uses a legitimate TD Ameritrade application to sideload a malicious DLL
– Ultimately downloads and launches the WikiLoader backdoor
6) The attackers employ anti-analysis checks to detect virtual environments.
7) The campaign includes a fake error message to maintain the illusion of legitimacy.
8) The shift from phishing to SEO poisoning could be due to new actors using WikiLoader or a response to public disclosure.
9) The malware authors show attention to building a secure and robust loader with multiple command-and-control configurations.
10) A similar campaign targeting users in the Middle East with backdoor malware was recently uncovered by Trend Micro
This new campaign demonstrates the evolving tactics of malware distributors, emphasizing the importance of user awareness and robust security measures.
Link: https://thehackernews.com/2024/09/hackers-use-fake-globalprotect-vpn.html