Cybercriminals have been masquerading as sellers of GlobalProtect,[1] a virtual private network (VPN) software from Palo Alto Networks, and delivering a new variant of WikiLoader malware through search engine optimization (SEO) poisoning.
See: https://redskyalliance.org/xindustry/shifts-in-cyber-attack-tactics
WikiLoader, also known as WailingCrab, is a downloader malware first discovered in 2022 by Proofpoint. It's sold in underground marketplaces by initial access brokers, and hackers typically spread the malware using traditional phishing techniques and compromised WordPress sites. Palo Alto's Unit 42 Managed Threat Hunting team initially discovered the current campaign in June 2024. It involved an SEO poisoning technique that positions attacker-controlled web pages advertising the supposed VPN at the top of search engine results. This broadens the scope of potential victims for the threat actors compared to traditional phishing, according to Unit 42.[2]
The campaign has primarily impacted the US higher education and transportation sectors and organizations based in Italy.
"While SEO poisoning is not a new technique, it continues to be an effective way to deliver a loader to an endpoint," the researchers wrote in the Unit 42 analysis. "Spoofing trusted security software is likely to assist in bypassing endpoint controls at organizations that rely on filename-based allow listing."
This article is shared at no charge and is for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators of compromise information via a notification service (RedXray) or an analysis service (CTAC). For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225 or feedback@redskyalliance.com
- Reporting: https://www.redskyalliance.org/
- Website: https://www.redskyalliance.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefing
https://register.gotowebinar.com/register/5378972949933166424
[1] https://docs.paloaltonetworks.com/globalprotect/5-1/globalprotect-app-user-guide/globalprotect-app-for-windows/download-and-install-the-globalprotect-app-for-windows
[2] https://www.darkreading.com/threat-intelligence/cyberattackers-spoof-palo-alto-vpns-to-spread-wikiloader-variant
Comments