Threat Research

Spoofed GlobalProtect Delivers Unique WikiLoader Variant

Unit42

Unit 42’s Managed Threat Hunting team identified a WikiLoader variant called WailingCrab delivered via SEO poisoning and GlobalProtect spoofing. The write-up covers the campaign’s evasion tradecraft, delivery infrastructure, and hunting/detection guidance, including Cortex XDR queries and IOC details. #WikiLoader #GlobalProtect

Keypoints

  • WikiLoader Variant: Identified as WailingCrab, delivered via SEO poisoning.
  • Delivery Method: Spoofing GlobalProtect VPN software through cloned websites.
  • Historical Activity: Active since late 2022, initially delivered via phishing.
  • Target Sectors: Primarily affects U.S. higher education and transportation sectors.
  • Evasion Techniques: Includes anti-analysis checks, typosquatting, and using legitimate sites for C2.
  • Indicators of Compromise: Provided URLs and SHA-256 hashes for detection.
  • Detection Mechanisms: Multiple XQL queries for Cortex XDR shared for threat hunting.

MITRE Techniques

  • [T1071.001] Application Layer Protocol – Using MQTT for C2 communications. “Using MQTT for C2 communications.”
  • [T1203] Exploitation for Client Execution – Malicious payload executed upon downloading spoofed GlobalProtect installer. “Malicious payload executed upon downloading spoofed GlobalProtect installer.”
  • [T1547.001] Startup Items – Creating scheduled tasks for persistence. “Creating scheduled tasks for persistence.”
  • [T1562] Impair Defenses – Using legitimate software renamed to evade detection and fake error messages to mislead users. “Using legitimate software renamed to evade detection” and “fake error messages to mislead users.”
  • [T1071] Application Layer Protocol – Using MQTT brokers for C2 communications. “Using MQTT brokers for C2 communications.”
  • [T1555] Credentials from Password Stores – Potentially accessing credentials through injected code. “Potentially accessing credentials through injected code.”

Indicators of Compromise

  • [URL] Delivery URLs – hxxps://globalprotect[.]securedownload[.]today/GlobalProtect64.zip, hxxps://globalprojectvpn[.]com, and 1 more URL (Bitbucket project hosting fake GlobalProtect64.zip)
  • [URL] WikiLoader C2 URLs – hxxps://carniceriamartinezadria.com/wp-content/themes/twentytwentyfour/rleoec.php?id=1, hxxps://jlholgado.com/wp-content/themes/twentytwentyfour/zca2ck.php?id=1
  • [SHA-256] Hashes for WikiLoader shellcode loader DLLs – d4eb9a4ee389f03c402e553724015af8d5b85835828bd66b1b45131b6837802f, 534c989d110ece8c429d2ded913933b961710726d8655b858474bc31dfed25c3
  • [SHA-256] Hashes for WikiLoader backdoor – 4044a0d7a0ed7f66efc2bd13616ec63a5722fc7a73a28fe3bda513f60ef24dd9, c9eaaa6aee55704ce651c8b4cde7949cfa9711e05a136fa15f234d1bb2ea994c

Read more: https://unit42.paloaltonetworks.com/global-protect-vpn-spoof-distributes-wikiloader/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint