Hacking Poisoning GlobalProtect VPN To Deliver WikiLoader Malware On Windows

In Cybersecurity News - Original News Source is cybersecuritynews.com by Blog Writer

Post Sharing

Hackers often target VPNs for several illicit purposes like injecting malicious code, stealing sensitive data, and many more.

Besides this, compromising a VPN enables hackers to gain unauthorized access to private networks and monitor user activity without getting detected.

Cybersecurity researchers at Palo Alto Networks recently discovered that hackers have been actively poisoning GlobalProtect VPN software to deliver WikiLoader malware on Windows.

Hacking Poisoning GlobalProtect VPN

WikiLoader is a multistage malware loader, and threat actors have developed this for a multitude of malicious and evasion purposes.

This malware has been active since late 2022, and it primarily uses phishing as a means of delivery.

Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN - 14 day free trial

For C2, the operators of WikiLoader use compromised WordPress sites and public MQ Telemetry Transport (MQTT) brokers.

Cybersecurity analysts discovered that the WikiLoader campaign leveraging GlobalProtect themed SEO poisoning in June 2024.

WikiLoader is suspected to be leveraged by two IABs (Initial Access Brokers), since it’s a loader for rent and found to be using several complex techniques to make the detection difficult.

Attack chain (Source – Palo Alto Network)

In order to compromise users, threat actors and threat sources used malicious advertising that led to fake GlobalProtect installer pages.

The attack vector was initiated when one of the pirated software called GlobalProtect64.exe, which was originally a share trading tool, launched i4jinst.dll from the application’s .install4j folder.

This DLL was responsible for the decryption of the shellcode contained in the certificate.pem injected to the explorer.exe through the use of thread injection.

The injected code loaded C:WindowsSystem32BingMaps.dll, overwrote the GetBingMapsFactory function with additional shellcode and contacted a compromised WordPress site as the command and control (C2) server. 

For persistence, it created a scheduled task, renamed license_us_EN.html (actually Microsoft Sysinternals’ AdInsight.exe), and placed it with a .pem file and the WikiLoader backdoor (.dll) in a random ProgramData subdirectory. 

The backdoor used MQTT brokers for tasking and employed DLL sideloading techniques. It decrypted the shellcode from the .pem file using the folder name as the key. 

This attack was detected by Cortex XDR via shellcode prevention and behavioral indicators of compromise (BIOCs), including the unusual scheduled task creation by explorer.exe.

Besides this, the attack also utilized the Mark of the Web (MotW) data and involved more than 400 hidden files in the malicious archive.

Here below we have mentioned all the unique tricks used by WikiLoader:-

  • Fake Error Message
  • Renamed Legitimate Software Used for Side-Loading Backdoor
  • Checks for Analysis Environments
  • Folder Name as Decryption Key for the Backdoor

WikiLoader will likely see continued use by financially motivated actors in 2024 and beyond. However, the shift of WikiLoader from phishing to SEO poisoning for delivery still remains unexplained. 

The loader’s sophisticated infrastructure and evasion techniques highlight its operational security focus.

Mitigations

Here below we have mentioned all the mitigations:-

  • Enhanced SEO poisoning detection
  • Robust endpoint protection
  • Application whitelisting
  • Network segmentation
  • Threat hunting

What Does MITRE ATT&CK Expose About Your Enterprise Security? - Watch Free Webinar!