Hackers Use Fake VPN Software to Spread ‘WikiLoader’ Malware

Palo Alto Networks’ Unit 42 researchers have discovered a new malware campaign that leverages search engine optimization (SEO) poisoning to deliver a previously undocumented variant of the sophisticated downloader malware WikiLoader. The malware, also known as WailingCrab, was first identified by security firm Proofpoint in 2023.

The threat actors behind this campaign have cloned a variety of legitimate websites to host malicious content, including fake GlobalProtect VPN download pages. GlobalProtect is a virtual private network (VPN) product offered by cybersecurity firm Palo Alto Networks. In a blog post, Unit 42 explains that to get users to the fake GlobalProtect download pages, the attackers are using SEO poisoning.

SEO poisoning is a technique that manipulates search engine results to display malicious websites that appear legitimate. When users search for GlobalProtect, they may unknowingly visit one of these fraudulent websites, download malware, and infect their systems.

“This campaign’s delivery infrastructure leveraged cloned websites relabeled as GlobalProtect along with cloud-based Git repositories,” the Unit 42 researchers wrote. “As a result, the threat actors were able to manipulate search results for legitimate, trusted websites to ensure that their malicious links appeared on the first page of search engine results, making the campaign especially dangerous.”

To spread the malware, the attackers are using a fake GlobalProtect installer that installs the malware on victims’ computers. The malware then operates in the background, collecting data and potentially installing additional malicious software.

In addition to the fake installer, the threat actors have created a variety of other malicious content, including an MSI installer that contains the malware, the researchers say.

“The malware authors went to great lengths to make the campaign’s GlobalProtect-themed infrastructure and malware appear legitimate,” according to Unit 42. “The threat actors registered their infrastructure domains using a variety of different registrars to make the domains appear less suspicious. The attackers even went as far as to use the legitimate Palo Alto Networks software code signing certificate to sign the malware, which can trick security products into trusting the files.”

The campaign is attributed to an initial access broker — a group that sells access to networks compromised by other malware operators — that’s believed to be new to the WikiLoader ecosystem, the researchers say. It’s not clear how many organizations and individuals might have been impacted, but the researchers believe the campaign “almost certainly broadens the scope of possible victims compared to phishing.”