Malware Campaigns: WikiLoader Masquerading as Palo Alto GlobalProtect VPN

Palo Alto’s Unit 42 team has uncovered a WikiLoader loader variant delivered via SEO poisoning and spoofing their GlobalProtect VPN tool. Threat actors exploit users’ trust when downloading software by closely mimicking the legitimate download page. SEO poisoning and malicious ads are increasingly becoming a technique used by attackers to effectively deliver loaders to endpoints. The sophisticated campaign employs two stages: the infection process and leveraging advanced command-and-control (C&C) infrastructure.

Threat alert
September 4, 2024

Palo Alto’s Unit 42 team has uncovered a WikiLoader loader variant delivered via SEO poisoning and spoofing their GlobalProtect VPN tool. Threat actors exploit users’ trust when downloading software by closely mimicking the legitimate download page. SEO poisoning and malicious ads are increasingly becoming a technique used by attackers to effectively deliver loaders to endpoints. The sophisticated campaign employs two stages: the infection process and leveraging advanced command-and-control (C&C) infrastructure.

Initial Infection:

Malware infection begins with the execution of a file named `setup.exe`, which installs a malicious executable (`GlobalProtect.exe`) and configuration files (`RTime.conf`, & `ApProcessId.conf’) that are hidden in the victim’s system directory and are used for the C2 communication.  

Beaconing and Control

Interactsh project, a tool used by penetration testers for beaconing, is used by threat actors for progress reports of the infection and information gathering. Intercepting, detecting, and analysing the communication channel proves to be a challenge to traditional solutions as it is encrypted using advanced AES encryption.  

Additionally, researchers discovered that the malware employs advanced techniques to bypass sandbox environments and evade detection. It was noted that if the executable identifies VM specific processes, then it will terminate itself.  

Recommendations  

  • Educate users on the importance of downloading and installing software only from verified sources or inquire with their IT team to provide them with the needed tools.
  • Limit user access to only the necessary data and systems to reduce the impact of potential breaches.
  • Consider blocking browser ad results at the DNS level or firewall level

Here at Socura, we are constantly monitoring our customers environments, deploy appropriate detection rules and conduct comprehensive threat hunts on vulnerabilities to ensure our customer’s safety. Palo Alto’s Cortex XDR detects and prevents these malware activities based on Behavioral Threat Protection; while their Next-Generation Firewall identifies known URLs and domains associated with this activity as malicious.


IOCs can be found here and here