Spoofed GlobalProtect Used to Deliver Unique WikiLoader Variant
Essential information
- Published
- 02/09/2024 20:55
- Modified
- 02/09/2024 22:05
- Tags
- 2024-09-02 dll sideloading globalprotect loader-for-rent seo poisoning wailingcrab wikiloader
- Related entities
- 46 observables, 14 techniques (mitre), 2 malware, 3 others
Description
A variant of WikiLoader loader for rent, also known as WailingCrab, is being delivered via SEO poisoning and spoofing of GlobalProtect VPN software. The campaign primarily affects U.S. higher education and transportation sectors. The infection chain involves multiple stages, including DLL sideloading, shellcode injection, and the use of MQTT for command and control. The attackers employ various evasion techniques, such as fake error messages, process checking, and encryption. The loader demonstrates sophisticated tradecraft, including the use of compromised WordPress sites and cloud-based Git repositories for infrastructure.