Hackers have discovered a new approach to distribute malware using Palo Alto Networks’ GlobalProtect VPN software. Instead of the usual phishing email distribution, this malware is spread via a carefully designed search engine optimization (SEO) campaign. The culprits exploit certain issues within the VPN to install ransomware, blending into popular search topics to increase click chances on their compromised links.
This fresh malware distribution method has sparked global cybersecurity concerns. The deceptive strategies used in the SEO campaign render malicious link detection more challenging. Hence, internet users are urged to stay vigilant and be wary of suspicious search results. Meanwhile, the cybersecurity firm is striving to patch any security flaws and nullify this threat, encouraging users to regularly update their VPN software.
Such an incident underscores the importance of staying updated about the latest cybersecurity threats and practicing safe web browsing. The blending of SEO techniques with malicious intentions reveals a significant evolution in the methods employed by cybercriminals. Cyber experts predict this trend could mark the onset of a new era of cyber threats, with criminals potentially employing more adept tactics, bypassing conventional cybersecurity measures.
The circulated malware is an iteration of the WikiLoader, also known as “WailingCrab”, and is linked to a cyber threat actor known as TA544.
SEO campaign: New method for malware distribution
This harmful software has been implicated in different damaging events, including the transit of Danabot and Ursnif. The dangerous capability of WikiLoader is its ability to carry multiple types of payloads, such as Danabot and Ursnif, which have been associated with a range of cyber threats and attacks.
This malware distribution involves fake websites that replicate GlobalProtect and cloud-based Git repositories. Users searching for GlobalProtect software are lured by Google ads and redirected to counterfeit download pages, where the malware infection begins. Once on this deceptive site, the user downloads what seems to be a legitimate version of GlobalProtect. However, the software is infected with malware, often unbeknownst to the user.
The infection process involves an MSI installer that impersonates a valid share trading application from TD Ameritrade. The installer subsequently sideloads a harmful DLL, triggering the shellcode and causing the WikiLoader backdoor to download from an external server. Once it is downloaded, it gives the attacker unauthorized access to the compromised systems, enabling them to steal sensitive data and execute malicious applications.
Reflecting on this new method of malware distribution, another similar case has been identified by cybersecurity firm Trend Micro. The firm observed a comparable scheme infecting Middle Eastern users with backdoor malware through fake GlobalProtect VPN software. To safeguard against such insidious attacks, maintaining rigorous cybersecurity measures and only downloading software from trusted sources is crucial.
