A new malware campaign is using a fake version of Palo Alto Networks’ GlobalProtect VPN software to distribute a variant of the WikiLoader (also known as WailingCrab) loader. This campaign, observed in June 2024, deviates from traditional phishing tactics, utilizing search engine optimization (SEO) poisoning instead, according to Unit 42 researchers Mark Lim and Tom Marsden.
The WikiLoader malware, first documented by Proofpoint in August 2023, has been attributed to the threat actor group TA544. Initially propagated via phishing emails to deliver Danabot and Ursnif, the current campaign relies on SEO poisoning to lure users into visiting spoofed websites posing as legitimate GlobalProtect download pages.
Once victims click on a Google ad and download the fake software, the malicious MSI installer contains an executable (GlobalProtect64.exe) that is a renamed version of a legitimate share trading application from TD Ameritrade (now part of Charles Schwab). This file is used to sideload a malicious DLL named i4jinst.dll, which ultimately executes shellcode to download and launch the WikiLoader backdoor from a remote server.
To further deceive victims, the installer displays a fake error message at the end of the process, claiming that certain libraries are missing from the system. Additionally, anti-analysis checks are employed to detect if WikiLoader is running in a virtualized environment, terminating the process if any virtual machine software is detected.
The use of SEO poisoning as the initial access vector reflects the evolving tactics of cybercriminals. Cloned websites, cloud-based Git repositories, and legitimate infrastructure were all leveraged to enhance the malware’s effectiveness. While the exact motivation for switching from phishing to SEO poisoning remains unclear, Unit 42 suggests it could be the work of another initial access broker (IAB) or a response to public disclosure.
This campaign was disclosed just days after Trend Micro uncovered a similar operation in the Middle East, which also used fake GlobalProtect VPN software to infect users with backdoor malware.
Always verify the source before downloading software to protect against such malicious campaigns.
