Spoofed GlobalProtect Used to Deliver Unique WikiLoader Variant

Sept. 2, 2024, 10:05 p.m.

Description

A variant of WikiLoader loader for rent, also known as WailingCrab, is being delivered via SEO poisoning and spoofing of GlobalProtect VPN software. The campaign primarily affects U.S. higher education and transportation sectors. The infection chain involves multiple stages, including DLL sideloading, shellcode injection, and the use of MQTT for command and control. The attackers employ various evasion techniques, such as fake error messages, process checking, and encryption. The loader demonstrates sophisticated tradecraft, including the use of compromised WordPress sites and cloud-based Git repositories for infrastructure.

External References

https://unit42.paloaltonetworks.com/global-protect-vpn-spoof-distributes-wikiloader
https://otx.alienvault.com/pulse/66d626396c9854978e7a8fb9
Tags
globalprotect
seo poisoning
dll sideloading
2024-09-02
wikiloader
wailingcrab
loader-for-rent

Date

  • Created: Sept. 2, 2024, 8:55 p.m.
  • Published: Sept. 2, 2024, 8:55 p.m.
  • Modified: Sept. 2, 2024, 10:05 p.m.

Indicators

  • f04715827e5453b33ba6fae8475b8c45150b27cc1361441648c46d13025283d2
  • f1a49cea454bac3e78ac765b247b65d00c896d84de2028892b00d4310453c665
  • edec55f87e535f869119db44e4e7302081f53dbf33a27aaf905430cedc5a78b9
  • ec59616b1c80951d6597d4f25a9c031be0391151dc1073a5bece466473f0bdfe
  • e7e674218a7d93595e33a092f4f519a65499651a398ca350f5a50e135e64fa41
  • e693652763141522621f9fcd80efb30cefa363f8bd9bdc65e5ffbf9fb8d76d3b
  • e07787caf52dd3e7dd0da600dbd1d909f3799dcebcdc60d101baf3ea17ef1e32
  • d4eb9a4ee389f03c402e553724015af8d5b85835828bd66b1b45131b6837802f
  • c9eaaa6aee55704ce651c8b4cde7949cfa9711e05a136fa15f234d1bb2ea994c
  • c6c250e1cd6d5477b46871ffe17deac248d723ad45687fc54ae4fc5e3f45d91c
  • c3280452e7c96253b215342f2fac14634591adf68f88bcf7dc920d5f28022cd6
  • b412b2c190b8406392406d9a8e3abce91c9014950bcf835eb7d9b50d0f128cb0
  • abce298ebb4ac7bc1a5167179875afc88e7e99475bf681953e8b964237b7d7ed
  • a001642046a6e99ab2b412d96020a243a221e3819eaac94ab3251fad7d20614b
  • 9a48f32e00877a4335206c7da45a94ca8bd46648d3a0bc88e0789dabf8139024
  • 8d5e185d53e81e90646d684dff7cb399973e3cde6d833e6f7431074f4362139a
  • 912cc2a3592b3b7835205d275cbf92bb66effc99cbd5cc338a223888de1b0d35
  • 82ec4e1a6ddf6eeb4030d6dd698f4576d0445d4d5722d5c60b0cc74ac501bb85
  • 78f6f94aaa72e41d64e4dc309a3553399db2b4cd0edae5653ca4b6e7839e1215
  • 76d1a876c90ec16f44685f795e64ab84bd2d3f5a91db659c9879b3461ee104f9
  • 6aa4a830aa8d89b629fe87d3d3e986042215b5bcd670417933fca854b6dd58d9
  • 66735d0178badf035be0e142f4fb8e23d860bfc9bbdc3e12ad1f2764de91ee9b
  • 69a94bbed366bfd917dfd8fb6e5fd7ba52e2dbf338edd0c259654981060943c8
  • 5576ab87eb11ca4d2944bc1c2c6a8c349e18c7ded583c1ba9bd99eff9d8ac4d7
  • 551da6814a01a280afe90aa6bb238f499d98ad496c0d8472a1705540a6f422da
  • 534c989d110ece8c429d2ded913933b961710726d8655b858474bc31dfed25c3
  • 4f573ab13882efa234a79483d305b3001cb09c0a166ff94c925844b860162415
  • 4f2079cd2e228a2777df45ae00714c8679531fd8ad82a66b5c1b10e800771f18
  • 4044a0d7a0ed7f66efc2bd13616ec63a5722fc7a73a28fe3bda513f60ef24dd9
  • 2b8b3f5b692f716116a1468b8d7b273baf7a6cef0726e831cd307d2f2c7452ec
  • 2add886330db1480da7314ee38428ca79af04f8c461c3bbbd68e202bb5f4c415
  • 2ab449666cf006125075e3ded8053cdfd318e4772d4145f0fa861f1d42cb2b08
  • 1d6f76acecff63fb373b5774a3cb34b87266a4a4bbb8e3a0757d107187d280ee
  • 148b29123bb0c28614858460d7a10707469fecebd6a9ff1da98a0c76a89a9819
  • 1c1d739f0282bfd9367e29ca81c61ed4a731e5150a836d0371e5e9d0121c9dfd
  • 0de42118dd0cd861bea13de097457ccb407aae901b14e0bec59b0abe660cdf1f
  • 0d495a94e29faa4dfded29253322be1b2c534a56c078bea1ad8f1dc1fd23b742
  • 0c44a46f1c8e46fe6b6f83ec249c95301aca1bc4765cee7bdadd021bbfd2ff66
  • 50810e4696dd075ca23349e3e1c3a87fc7b46ab89f4b1eb093a5cfb74f84cc51
  • https://www.estudioemm.com/wp-content/themes/twentytwelve/d4kih3.php?id=1
  • https://jlholgado.com/wp-content/themes/twentytwentyfour/zca2ck.php?id=1
  • https://globalprotect.securedownload.today/GlobalProtect64.zip
  • https://globalprojectvpn.com
  • https://elpgtextil.com/wp-content/themes/twentytwentyfour/44snwx.php?id=1
  • https://carniceriamartinezadria.com/wp-content/themes/twentytwentyfour/rleoec.php?id=1
  • https://arbeitsschutz-mmk.de/plugins/search/contacts/chrndi.php?id=1
Download all indicators here!

Attack Patterns

  • WikiLoader
  • WailingCrab

Additional Informations

  • Transportation
  • Education
  • United States of America