Spoofed GlobalProtect Used to Deliver Unique WikiLoader Variant

Credited by Pixabay

VTA-004494 – Spoofed GlobalProtect Used to Deliver Unique WikiLoader Variant

Palo Alto Networks’ Unit 42 discovered a new campaign using SEO poisoning to trick users into downloading a disguised WikiLoader malware by spoofing the legitimate GlobalProtect VPN software. Attackers leveraged various techniques to achieve their goals. First, they manipulated search engine results to place fake GlobalProtect download pages at the top. Clicking the download link resulted in a file disguised as a GlobalProtect installer. This file, however, contained a legitimate, signed application renamed to look like GlobalProtect, which then side-loaded the actual WikiLoader component. WikiLoader then injected malicious code into a legitimate Windows process and contacted a compromised website for further instructions. To ensure persistence, it created a scheduled task. Additionally, attackers employed various anti-analysis techniques to evade detection, including displaying a fake error message after infection, using renamed legitimate software for side-loading, checking for analysis environments, and encrypting the backdoor with a folder name key. This campaign highlights the evolving tactics of cybercriminals and the importance of staying vigilant against social engineering attacks.

Severity:
Medium

Attack Surface:
Web Application, Web Browser

Tactics:
Command and Control, Defense Evasion, Execution, Exfiltration, Impact, Initial Access

Techniques:
TA0001: Initial Access Techniques (SEO Poisoning)
TA0002: Execution (Side-Loading)
TA0007: Resource Hijacking (Shellcode Injection)
TA0010: Manipulation of System Processes (Persistence)
TA0011: Data Encapsulation (Encrypted Backdoor)
TA0045: Defense Evasion Techniques (Fake Error Message, Analysis Environment Checks)
 
Indicator of Compromise:
https://otx.alienvault.com/pulse/66d80f3a834fc0df4f5d06c8

References:
1. https://unit42.paloaltonetworks.com/global-protect-vpn-spoof-distributes-wikiloader/

SuperPRO’s Threat Countermeasures Procedures: 
1. Don’t blindly trust search engine results, especially when downloading software. Double-check the URL and ensure it leads to the legitimate website of the software provider.
2. Before downloading any software, verify its authenticity. Visit the official website of the software provider to download the latest version directly.
3. Carefully examine downloaded files. Look for inconsistencies, like file size discrepancies or unexpected file extensions compared to the legitimate software.
4. Utilize robust security software with features like, Web Filtering: Blocks access to malicious websites identified through SEO poisoning.

Contributed by: Syaff