Back

Spoofed GlobalProtect Used to Deliver Unique WikiLoader Variant

Sept. 2, 2024, 10:05 p.m.

Tags

globalprotect
seo poisoning
dll sideloading
2024-09-02
wikiloader
wailingcrab
loader-for-rent

External References

https://unit42.paloaltonetworks.com/

https://otx.alienvault.com/

Description

A variant of WikiLoader loader for rent, also known as WailingCrab, is being delivered via SEO poisoning and spoofing of GlobalProtect VPN software. The campaign primarily affects U.S. higher education and transportation sectors. The infection chain involves multiple stages, including DLL sideloading, shellcode injection, and the use of MQTT for command and control. The attackers employ various evasion techniques, such as fake error messages, process checking, and encryption. The loader demonstrates sophisticated tradecraft, including the use of compromised WordPress sites and cloud-based Git repositories for infrastructure.

Date

Published Created Modified
Sept. 2, 2024, 8:55 p.m. Sept. 2, 2024, 8:55 p.m. Sept. 2, 2024, 10:05 p.m.

Indicators

f04715827e5453b33ba6fae8475b8c45150b27cc1361441648c46d13025283d2

f1a49cea454bac3e78ac765b247b65d00c896d84de2028892b00d4310453c665

edec55f87e535f869119db44e4e7302081f53dbf33a27aaf905430cedc5a78b9

ec59616b1c80951d6597d4f25a9c031be0391151dc1073a5bece466473f0bdfe

e7e674218a7d93595e33a092f4f519a65499651a398ca350f5a50e135e64fa41

e693652763141522621f9fcd80efb30cefa363f8bd9bdc65e5ffbf9fb8d76d3b

e07787caf52dd3e7dd0da600dbd1d909f3799dcebcdc60d101baf3ea17ef1e32

d4eb9a4ee389f03c402e553724015af8d5b85835828bd66b1b45131b6837802f

c9eaaa6aee55704ce651c8b4cde7949cfa9711e05a136fa15f234d1bb2ea994c

c6c250e1cd6d5477b46871ffe17deac248d723ad45687fc54ae4fc5e3f45d91c

c3280452e7c96253b215342f2fac14634591adf68f88bcf7dc920d5f28022cd6

b412b2c190b8406392406d9a8e3abce91c9014950bcf835eb7d9b50d0f128cb0

abce298ebb4ac7bc1a5167179875afc88e7e99475bf681953e8b964237b7d7ed

a001642046a6e99ab2b412d96020a243a221e3819eaac94ab3251fad7d20614b

9a48f32e00877a4335206c7da45a94ca8bd46648d3a0bc88e0789dabf8139024

8d5e185d53e81e90646d684dff7cb399973e3cde6d833e6f7431074f4362139a

912cc2a3592b3b7835205d275cbf92bb66effc99cbd5cc338a223888de1b0d35

82ec4e1a6ddf6eeb4030d6dd698f4576d0445d4d5722d5c60b0cc74ac501bb85

78f6f94aaa72e41d64e4dc309a3553399db2b4cd0edae5653ca4b6e7839e1215

76d1a876c90ec16f44685f795e64ab84bd2d3f5a91db659c9879b3461ee104f9

6aa4a830aa8d89b629fe87d3d3e986042215b5bcd670417933fca854b6dd58d9

66735d0178badf035be0e142f4fb8e23d860bfc9bbdc3e12ad1f2764de91ee9b

69a94bbed366bfd917dfd8fb6e5fd7ba52e2dbf338edd0c259654981060943c8

5576ab87eb11ca4d2944bc1c2c6a8c349e18c7ded583c1ba9bd99eff9d8ac4d7

551da6814a01a280afe90aa6bb238f499d98ad496c0d8472a1705540a6f422da

534c989d110ece8c429d2ded913933b961710726d8655b858474bc31dfed25c3

4f573ab13882efa234a79483d305b3001cb09c0a166ff94c925844b860162415

4f2079cd2e228a2777df45ae00714c8679531fd8ad82a66b5c1b10e800771f18

4044a0d7a0ed7f66efc2bd13616ec63a5722fc7a73a28fe3bda513f60ef24dd9

2b8b3f5b692f716116a1468b8d7b273baf7a6cef0726e831cd307d2f2c7452ec

2add886330db1480da7314ee38428ca79af04f8c461c3bbbd68e202bb5f4c415

2ab449666cf006125075e3ded8053cdfd318e4772d4145f0fa861f1d42cb2b08

1d6f76acecff63fb373b5774a3cb34b87266a4a4bbb8e3a0757d107187d280ee

148b29123bb0c28614858460d7a10707469fecebd6a9ff1da98a0c76a89a9819

1c1d739f0282bfd9367e29ca81c61ed4a731e5150a836d0371e5e9d0121c9dfd

0de42118dd0cd861bea13de097457ccb407aae901b14e0bec59b0abe660cdf1f

0d495a94e29faa4dfded29253322be1b2c534a56c078bea1ad8f1dc1fd23b742

0c44a46f1c8e46fe6b6f83ec249c95301aca1bc4765cee7bdadd021bbfd2ff66

50810e4696dd075ca23349e3e1c3a87fc7b46ab89f4b1eb093a5cfb74f84cc51

https://www.estudioemm.com/wp-content/themes/twentytwelve/d4kih3.php?id=1

https://jlholgado.com/wp-content/themes/twentytwentyfour/zca2ck.php?id=1

https://globalprotect.securedownload.today/GlobalProtect64.zip

https://globalprojectvpn.com

https://elpgtextil.com/wp-content/themes/twentytwentyfour/44snwx.php?id=1

https://carniceriamartinezadria.com/wp-content/themes/twentytwentyfour/rleoec.php?id=1

https://arbeitsschutz-mmk.de/plugins/search/contacts/chrndi.php?id=1

Attack Patterns

WikiLoader

WailingCrab

T1574.002

T1027.002

T1547.001

T1497

T1204.002

T1218

T1105

T1071

T1102

T1055

T1036

T1140

T1027

T1059

Additional Informations

Transportation

Education

United States of America