September 4, 2024 at 01:42AM
A new malware campaign is using a spoofed version of Palo Alto Networks’ GlobalProtect VPN software to distribute the WikiLoader malware through an SEO campaign. The malware campaign is a shift from previous tactics and involves malicious activities such as delivering malware via fake GlobalProtect download pages and anti-analysis checks to avoid detection.
Based on the meeting notes, the main takeaways are:
– A new malware campaign is spoofing Palo Alto Networks’ GlobalProtect VPN software to deliver the WikiLoader loader via an SEO campaign, a departure from previous phishing tactics.
– The malware has been attributed to a threat actor known as TA544, utilizing email attacks to deploy Danabot and Ursnif.
– Attackers are using SEO poisoning to trick users into visiting fake GlobalProtect download pages, which triggers the infection sequence.
– The malware includes a renamed version of a legitimate share trading application to sideload a malicious DLL and execute shellcode for downloading and launching the WikiLoader backdoor.
– The threat actors have incorporated anti-analysis checks to terminate the malware if running in a virtualized environment.
– It is theorized that the shift to SEO poisoning could be the work of a new initial access broker (IAB) or a response to public disclosure.
– Another campaign leveraging fake GlobalProtect VPN software to infect users with backdoor malware in the Middle East was uncovered by Trend Micro.
These takeaways provide a clear summary of the key points from the meeting notes regarding the malware campaign and its tactics.