Palo Alto Networks' Unit 42 Managed Threat Hunting team recently discovered a new cyberattack that spreads WikiLoader malware by tricking users into downloading a fake version of the GlobalProtect VPN software.
According to the research, hackers are using SEO poisoning, a technique that manipulates search engine results to display malicious websites that appear legitimate.
When users search for GlobalProtect, they may unknowingly visit one of these fraudulent websites, download malware, and infect their systems.
These hackers aren't just sending phishing emails anymore. Instead, they use advertising tricks and website rankings to ensure that their malicious links appear on the first page of search engine results.
This makes the campaign even more dangerous because users expect search engines to return safe and legitimate results.
WikiLoader is a type of “loader” malware, a tool used by cybercriminals to install other types of malicious software on a victim's computer.
In this case, once users download the fake GlobalProtect VPN installer, WikiLoader silently installs itself and begins collecting data.
WikiLoader has been operational since late 2022 and is used by cybercriminals to deliver various malware, including banking trojans such as Danabot and Ursnif.
The malware can collect a variety of data, such as usernames, passwords, and system information.
It can also install additional malware to steal more sensitive data from the infected machine.
In this specific campaign, the attackers disguised their malware as a legitimate VPN tool, GlobalProtect.
Once the fake software is downloaded, WikiLoader installs itself on the victim's computer and operates in the background, evading detection by security software.
This is done through techniques such as using real software names and encrypting portions of the malware, making it more difficult for antivirus programs to detect.
This campaign is unique because the hackers aren't using traditional phishing emails.
Instead, they are employing SEO poisoning, a technique that elevates malicious websites to the top of search engine rankings.
So, users searching for GlobalProtect VPN are directed to websites that appear to be legitimate but are actually fraudulent and contain malware.
The attackers created several websites that resembled the official GlobalProtect download page.
When users download software from these websites, they are essentially downloading malware.
To further trick the users, the hackers used typosquatting, which is the practice of registering domain names that are very similar to well-known brands.
According to the researchers, this malware campaign is specifically aimed at users in the United States, particularly in the higher education and transportation sectors, but SEO poisoning means that anyone searching for the software may be affected.