Detect WikiLoader Attacks: Adversaries Leverage Fake GlobalProtect VPN Software to Deliver a New Malware Variant via SEO Poisoning

The latest stats highlight that in 2023, adversaries deployed an average of 200,454 unique malware scripts per day, equating to roughly 1.5 new samples per minute. To proceed with successful malware attacks, threat actors are juggling with different malicious methods in an attempt to overcome security protections. The latest malicious campaign in the spotlight spoofs legitimate GlobalProtect VPN software by Palo Alto Networks to deliver WikiLoader (aka WailingCrab) through SEO poisoning. 

WikiLoader Malware Attacks Detection

WikiLoader is a sophisticated malicious threat specifically designed to fly under the radar of security solutions. To identify potential attacks at the earliest stages and proactively defend organizational networks, security professionals require curated detection algorithms accompanied by advanced solutions for threat detection & hunting. 

SOC Prime Platform for collective cyber defense aggregates a set of dedicated Sigma rules, enabling cyber defenders to identify WikiLoader infections on time. Just press the Explore Detections button below and immediately access a relevant detection stack.

Explore Detections

All the rules are compatible with 30+ SIEM, EDR, and Data Lake solutions and mapped to the MITRE ATT&CK® framework. Additionally, detections are enriched with extensive metadata, including threat intel references, attack timelines, and triage recommendations, helping to smooth out threat investigation.

WikiLoader Backdoor Analysis

The Unit 42 researchers have uncovered a novel variant of the WikiLoader being distributed through SEO poisoning as the initial access vector and a spoofed version of Palo Alto Networks GlobalProtect VPN software. The latest campaign, first observed in early summer 2024, primarily targets the U.S. higher education and transportation industry sectors and organizations located in Italy.

WikiLoader (aka WailingCrab) is a multistage malicious loader that was first identified in 2022. The TA544 and TA551 hacking groups, both targeting Italian organizations, have been observed behind earlier WikiLoader campaigns. Attackers commonly relied on a phishing attack vector with emails containing attachments in Microsoft Excel, Microsoft OneNote, or PDF format. In the most notable adversary campaigns, WikiLoader delivered Ursnif as a second malicious payload. 

WikiLoader is sold by initial access brokers on underground marketplaces, with phishing and compromised WordPress sites being its common distribution methods. However, the latest campaign switched from phishing to SEO poisoning to rank weaponized pages, promoting a fake VPN at the top of search engine results. According to defenders, this method significantly expands the pool of potential victims compared to traditional phishing.

WikiLoader features sophisticated evasion techniques and custom-coded elements aimed at hindering malware detection and analysis. Specific WikiLoader defense evasion techniques observed in the latest campaign include showing a fake error message upon malware execution, renaming legitimate software and hiding it inside the spoofed GlobalProtect installer to side-load the backdoor, and performing multiple anti-malware analysis checks.

Proofpoint researchers earlier observed at least three different WikiLoader iterations, which displays the malware continuous evolution. The initial version contained a basic syscall structure, minimal obfuscation, no string encoding, and manual creation of fake domains, while the second iteration involved increased syscall complexity, implemented additional busy loops, and relied on string encoding and artifact deletion. The third WikiLoader iteration involves a new indirect syscall technique, file retrieval via MQTT, cookie exfiltration, and more complex shellcode execution. 

Defenders expect that financially driven hacking groups will keep using WikiLoader as a versatile, stealthy Windows loader in various campaigns due to its strong operational security. To help organizations gain a competitive advantage over increasing offensive capabilities, SOC Prime equips security teams with a complete product suite for AI-powered detection engineering, automated threat hunting, and advanced threat detection for building a robust cybersecurity posture.