Cybercriminals have launched a campaign using search engine optimization (SEO) poisoning to spread a new variant of WikiLoader malware. The attackers are masquerading as sellers of GlobalProtect, virtual private network (VPN) software from Palo Alto Networks. This campaign has primarily impacted the US higher education and transportation sectors, as well as organizations based in Italy.
The WikiLoader malware, also known as WailingCrab, is a downloader malware first discovered in 2022 by Proofpoint. It’s sold in underground marketplaces by initial access brokers and typically spread using traditional phishing techniques and compromised WordPress sites. Palo Alto’s Unit 42 Managed Threat Hunting team initially detected the campaign in June.
The attackers used an SEO poisoning technique to position attacker-controlled webpages advertising the supposed VPN at the top of search engine results, broadening the scope of potential victims compared to traditional phishing. The researchers noted that while SEO poisoning is not a new technique, it remains an effective way to deliver malware to endpoints.
Source: https://www.darkreading.com/threat-intelligence/cyberattackers-spoof-palo-alto-vpns-to-spread-wikiloader-variant