July 1, 2025
Proactive Defense: The Importance of Incident Response Planning in Cybersecurity
ICS: Multiple Siemens Products Vulnerabilities
September 4, 2024Multiple Dell PowerScale OneFS Vulnerabilities
September 4, 2024ICS: Multiple Siemens Products Vulnerabilities
September 4, 2024Multiple Dell PowerScale OneFS Vulnerabilities
September 4, 2024
Severity
High
Analysis Summary
A new malware operation is using search engine optimization (SEO) to spread a variant of the WikiLoader (also known as WailingCrab) loader by impersonating Palo Alto Networks' GlobalProtect VPN software.
The June 2024 malvertising activity differs from earlier noted strategies in which the malware was distributed by conventional phishing emails. WikiLoader, which was first discovered in August 2023, has been linked to the TA544 threat actor. Danabot and Ursnif are installed via email campaigns using the malware. Then, in early April 2024, a South Korean cybersecurity firm released information about an attack campaign that used a Notepad++ plugin that had been trojanized as the distribution vector.
Nevertheless, according to the researchers, the loader for rent is believed to be utilized by at least two initial access brokers (IABs), and the attack chains are distinguished by strategies that help them avoid being discovered by security tools. As an initial access vector, attackers frequently use SEO poisoning to fool users into accessing a website that mimics a valid search result and delivers malware instead of the product that was sought. Cloud-based Git repositories and cloned websites rebranded as GlobalProtect were used in the delivery architecture of this operation.
As a result, people who wind up looking for the GlobalProtect software see Google advertisements. When they click on those ads, they are taken to a phony download page for GlobalProtect, which starts the infection process. The program "GlobalProtect64.exe" that is included with the MSI installer is a rebranded version of a genuine TD Ameritrade (now a part of Charles Schwab) share trading application that is used to sideload a malicious DLL called "i4jinst.dll." This makes the way for shellcode to be executed, which then downloads and launches the WikiLoader backdoor from a remote server via a series of stages.
After the installation procedure, a fictitious error message claiming that some libraries are missing from the victims' Windows machines is displayed, further enhancing the installer's appearance of validity and misleading the victims. The threat actors have included anti-analysis checks that detect whether WikiLoader is operating in a virtualized environment and stop themselves when processes linked to virtual machine software are discovered, in addition to leveraging renamed versions of genuine software to sideload the malware.
Cybersecurity researchers speculated that the campaign may be the product of another IAB or that groups already distributing the virus may have changed their tactics in response to public exposure, even though the rationale behind the switch from phishing to SEO poisoning as a dissemination method is unknown.
The variety of genuine, hacked, and spoofed infrastructure used in WikiLoader campaigns highlights the malware writers' focus on creating a reliable loader with several command-and-control configurations that are both operationally safe and secure. Days earlier, researchers revealed another fresh campaign that infects Middle Eastern consumers with backdoor malware by using a phony GlobalProtect VPN software.
Impact
- Security Bypass
- Identity Theft
- Unauthorized Remote Access
- Code Execution
Indicators of Compromise
URL
- https://globalprotect.securedownload.today/GlobalProtect64.zip
- https://globalprojectvpn.com/
- https://bitbucket.org/bitprotect/globalproject/src/main/
- https://carniceriamartinezadria.com/wp-content/themes/twentytwentyfour/rleoec.php?id=1
- https://jlholgado.com/wp-content/themes/twentytwentyfour/zca2ck.php?id=1
- https://elpgtextil.com/wp-content/themes/twentytwentyfour/44snwx.php?id=1
- https://arbeitsschutz-mmk.de/plugins/search/contacts/chrndi.php?id=1
- https://www.estudioemm.com/wp-content/themes/twentytwelve/d4kih3.php?id=1
MD5
- 6613ccb93ce4eb0ab7671d1ca91b95af
- 780996c25b9928ef168fc61a18e56f81
- 6136ce65b22f59b9f8e564863820720b
- 8b7a358005eff6c44d66e44f5b266d33
- 2126f8d0d398ef95e1c505209986b638
- d294c892c0e092752d9173f4dc6b467d
- 57439e19c45bc847f6d62825c1008108
- 67b3201085b9b59d58c4a71c8b539bb0
- 39bcba26fed53535dd1e20a6f62a5cdb
- 11a7ba7933ce9940e58fc1c3701875fb
- 8612d97036f5f452bdf3ebb4053d4c81
SHA-256
- d4eb9a4ee389f03c402e553724015af8d5b85835828bd66b1b45131b6837802f
- 534c989d110ece8c429d2ded913933b961710726d8655b858474bc31dfed25c3
- a001642046a6e99ab2b412d96020a243a221e3819eaac94ab3251fad7d20614b
- c6c250e1cd6d5477b46871ffe17deac248d723ad45687fc54ae4fc5e3f45d91c
- f1a49cea454bac3e78ac765b247b65d00c896d84de2028892b00d4310453c665
- ec59616b1c80951d6597d4f25a9c031be0391151dc1073a5bece466473f0bdfe
- e7e674218a7d93595e33a092f4f519a65499651a398ca350f5a50e135e64fa41
- 78f6f94aaa72e41d64e4dc309a3553399db2b4cd0edae5653ca4b6e7839e1215
- abce298ebb4ac7bc1a5167179875afc88e7e99475bf681953e8b964237b7d7ed
- 82ec4e1a6ddf6eeb4030d6dd698f4576d0445d4d5722d5c60b0cc74ac501bb85
- 0d495a94e29faa4dfded29253322be1b2c534a56c078bea1ad8f1dc1fd23b742
SHA-1
- dc5719a51d3a662f04f735cab6c7aa918222707b
- 3ff1d54155a605048dcc2088aca7b5a72245ae77
- 2e4b1e2bbe9ec23d9b1d83a800c06afdf4aafa12
- a8473f2db5cc7d2cba76416be23d7c55fc38c8dc
- 9259f505d8ff5655906b52598e5a139168cec0ab
- e75fd448fd430ebe8f4c1687ee5fb7f4561f5f3e
- c58285c72a5d658f3e4de6c0704fd65eb4a4e298
- f5ca3f5fc58231375d15776eea3b14d1fd9f350d
- 9804ed3849f7038231c3c798f410ff4f3382c92e
- ff4480ba59fd822690f81f4388e049e51879ab4f
- 9142068ba30eb8dcac104b499f14f3972b70dcec
Remediation
- Block all threat indicators at your respective controls.
- Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
- Be vigilant when downloading software and double-check the URL to see if it is legitimate.
- Never download software from untrusted sources.
- Download apps only from official app stores like Google Play Store or Apple App Store. Avoid downloading apps from third-party websites or unofficial sources.
- Review the permissions requested by apps before installing them. Be cautious of apps that request unnecessary permissions or access to sensitive data.
- Do not download documents attached in emails from unknown sources and strictly refrain from enabling macros when the source isn’t reliable.
- Keep your operating system and apps up-to-date with the latest security patches and updates
- Enable antivirus and anti-malware software and update signature definitions on time. Using multi-layered protection is necessary to secure vulnerable assets.
- Along with network and system hardening, code hardening should be implemented within the organization so that their websites and software are secure. Use testing tools to detect any vulnerabilities in the deployed codes.
- Maintain cyber hygiene by updating your anti-virus software and implementing a patch management lifecycle.
- Be cautious of unsolicited messages, emails, or links, especially from unknown or suspicious sources. Avoid clicking on suspicious links or downloading attachments from untrusted sources.
- Patch and upgrade any platforms and software timely and make it into a standard security policy. Prioritize patching known exploited vulnerabilities and zero-days.
- Regularly backup your data to a secure location, such as a cloud storage service or external hard drive.
- Develop and regularly update an incident response plan that outlines the steps to take in case of a security breach. Test the plan through simulations to ensure its effectiveness.