In a new cyber attack campaign, malicious software WikiLoader is being distributed through SEO poisoning, with hackers claiming to offer VPN software from cybersecurity firm Palo Alto Networks as bait. This revelation comes from Palo Alto Networks’ threat intelligence team, Unit 42, which has highlighted the dangers of this targeted attack and urged users to be vigilant.
Targeted Attack Using SSL VPN Service as Lure
The campaign, which was first observed in June this year, targets primarily U.S. higher education institutions and transportation units. The attackers are using a technique known as SEO poisoning, which broadens the attack’s reach compared to traditional phishing methods.
The attackers impersonate Palo Alto Networks’ SSL VPN service, GlobalProtect, by creating fake websites that appear at the top of search engine results when users search for the service. Once users click on the malicious advertisements, they are directed to a fake website hosted on a cloud-based Git repository, from where they download a ZIP file labeled as the installation program.
Upon decompression, users are likely to see only the GlobalProtect64.exe executable file. However, researchers at Unit 42 have discovered that the ZIP file contains over 400 files, most of which are hidden. When the executable file is run, the hackers use a DLL sideloading technique to load the first WikiLoader component.
Multi-Stage Infection Process
The DLL component then loads additional modules and unpacks Shell Code, which is injected into the Windows File Explorer process. The injected code communicates with a C2 server, which is often a compromised WordPress website, and uses the MQTT protocol, commonly used in IoT devices, for communication.
Following this, the code loads Sysinternals utility components and downloads the WikiLoader backdoor from the C2 server, executing it through sideloading. The exact malicious software that the hackers install on the victim’s computer through WikiLoader remains unclear, according to the researchers.
Deceptive Error Messages to Avoid Detection
To avoid raising suspicion, the attackers use deceptive error messages. For instance, the fake installation program does not actually deploy GlobalProtect. Instead, after the malicious payload is loaded, the attackers display an error message indicating that a specific library is missing, preventing the installation from completing.
This approach is particularly concerning because of its targeted nature. The attackers are likely focusing on individuals who use GlobalProtect, suggesting a deeper understanding of their potential victims and their habits.
Call for User Vigilance
Palo Alto Networks has issued a warning to users, emphasizing the importance of remaining alert to such sophisticated attack techniques. The use of SEO poisoning to distribute malware is not new, but the level of detail and targeting in this campaign highlights the evolving nature of cyber threats.
The attackers’ choice of using a legitimate VPN service as bait is particularly cunning, as it preys on users’ trust in security products. This campaign underscores the need for continuous education and awareness among users to recognize and mitigate such threats.
Conclusion
The WikiLoader malware distribution campaign is a stark reminder of the ingenuity and adaptability of cybercriminals. By leveraging SEO poisoning and impersonating legitimate services, they are able to cast a wide net and target specific groups effectively. As cyber threats continue to evolve, it is crucial for individuals and organizations to stay informed and implement robust security measures to protect against these sophisticated attacks.
Views: 0