Hackers Exploit Fake GlobalProtect VPN in New WikiLoader Malware Campaign

WikiLoader, first documented by Proofpoint in 2023 and linked to the threat actor TA544, has been utilized to deploy other malware like Danabot and Ursnif

In a recent cyberattack, hackers have employed a sophisticated tactic by spoofing Palo Alto Networks' GlobalProtect VPN software to distribute a variant of the WikiLoader malware, also known as WailingCrab. The malvertising campaign, which emerged in June 2024, marks a shift from the traditional phishing methods previously used to deliver the malware.

Unit 42 researchers, Mark Lim and Tom Marsden, identified this new approach, highlighting the use of search engine optimization (SEO) poisoning. In this method, attackers trick users into clicking on Google ads that redirect them to a fake GlobalProtect download page, initiating the infection sequence. The malicious MSI installer poses to be an authorized executable, "GlobalProtect64.exe," but is a renamed version of a share trading application from TD Ameritrade. This application is used to sideload a malicious DLL, leading to the execution of WikiLoader. WikiLoader, first documented by Proofpoint in 2023 and linked to the threat actor TA544, has been utilized to deploy other malware like Danabot and Ursnif. The campaign’s shift from phishing to SEO poisoning suggests a possible adaptation to evade detection or involvement of new initial access brokers (IABs).

The attackers also use anti-analysis methods, making sure the malware terminates itself in virtualized environments. This campaign highlights the changing techniques of cybercriminals and the importance of caution against increasingly advanced threats.