Hackers deploy fake VPN software in cunning new malware scheme

TLDR:

• Hackers are using fake GlobalProtect VPN software to deliver WikiLoader malware.
• The malware campaign involves SEO poisoning to trick users into downloading malicious software.

A new malware campaign has been discovered that spoofs Palo Alto Networks’ GlobalProtect VPN software to distribute WikiLoader malware through SEO poisoning. This campaign, observed in June 2024, marks a change in tactics for the malware, which has previously been spread through phishing emails. The WikiLoader malware, attributed to threat actor TA544, has been used in previous attacks to deploy Danabot and Ursnif.

The attackers have leveraged cloned websites relabeled as GlobalProtect and cloud-based Git repositories to trick users into downloading the fake software. Once downloaded, the malware uses anti-analysis checks to determine if it is running in a virtualized environment and terminates itself to avoid detection.

This shift to using SEO poisoning as an initial access vector is a new development in the campaign, and researchers theorize it may be the work of a new initial access broker or a response to public disclosure. The combination of spoofed, compromised, and legitimate infrastructure used in these attacks highlights the malware authors’ efforts to create a secure and robust loader.

Overall, this new malware campaign underscores the importance of staying vigilant against evolving threats and implementing strong cybersecurity measures to protect against malicious actors.