Cybersecurity researchers at Palo Alto Networks have uncovered a sophisticated attack targeting GlobalProtect VPN software to deliver WikiLoader malware on Windows systems. Discovered in June 2024, this campaign involves poisoning GlobalProtect-themed search engine optimization (SEO) to lure users into downloading malicious installers. The attackers use fake installer pages to distribute the malware, which exploits vulnerabilities in the VPN software to compromise systems.
The WikiLoader malware, active since late 2022, operates through a complex attack chain. It begins with the execution of a pirated software version named GlobalProtect64.exe, which launches a malicious DLL file from the application’s directory. This DLL is responsible for decrypting shellcode embedded in a certificate file, which is then injected into the Windows Explorer process. The injected code manipulates system functions and communicates with a compromised WordPress site for command and control (C2) operations.
Further analysis reveals that the WikiLoader campaign employs sophisticated evasion techniques to avoid detection. The malware uses DLL sideloading and MQTT brokers for tasking, with the decryption of shellcode based on folder names. Additionally, the attackers create a scheduled task and rename legitimate software files to maintain persistence on the infected system. The attack also involves hidden files and utilizes the Mark of the Web (MotW) data to obfuscate its presence.
To mitigate the risks associated with such advanced threats, experts recommend several defensive measures. These include enhanced detection of SEO poisoning, robust endpoint protection, application whitelisting, and network segmentation. Threat hunting practices are also crucial to identify and address potential vulnerabilities. The continued use of WikiLoader by financially motivated actors underscores the need for vigilance and comprehensive security strategies to protect against evolving cyber threats.
Reference:
