Hackers deploying the WikiLoader malware are changing tactics, moving from phishing to SEO poisoning and VPN spoofing, according to a new report According to cybersecurity researchers at Palo Alto Networks Unit 42, the new tactics observed a few months ago expand the range of potential victims.
In June of this year, Unit 42 began monitoring websites that claimed to offer GlobalProtect for download. GlobalProtect is Palo Alto Networks’ virtual private network (VPN) solution. It provides secure remote access to users outside of the corporate network, ensuring that their connections to the network are secure and their traffic is protected.
The websites were clearly fake and the products offered for download were counterfeit and also contained a piece of malware. After creating the websites, the hackers proceeded to SEO poisoning, to give the sites a high ranking in search engines such as Google or Bing.
WikiLoader
SEO poisoning is a tactic where hackers link to the malicious site from many different sources, tricking search engines into viewing the site as a trustworthy source of information.
When people then search for different keywords (for example, a VPN service), search engines will rank the malicious site relatively high on the results page. This increases the chance that people will pick up the malware.
The malware distributed in this campaign is called WikiLoader. Also known as WailingCrab, this multistage malware loader acts as a gatekeeper that allows malicious actors to drop additional payloads as they see fit. As such, it is typically deployed by initial access brokers (IAB), who later sell access to the loader to a third party, who can then do with it as they please.
Unit 42 saw WikiLoader primarily impact U.S. higher education and transportation, the company said. But since SEO poisoning affects everyone, it’s likely that other people will get infected, too.