{ "name": "Spoofed GlobalProtect Used to Deliver Unique WikiLoader Variant", "slug": "spoofed-globalprotect-used-to-deliver-unique-wikiloader-variant", "description": "A variant of WikiLoader loader for rent, also known as WailingCrab, is being delivered via SEO poisoning and spoofing of GlobalProtect VPN software. The campaign primarily affects U.S. higher education and transportation sectors. The infection chain involves multiple stages, including DLL sideloading, shellcode injection, and the use of MQTT for command and control. The attackers employ various evasion techniques, such as fake error messages, process checking, and encryption. The loader demonstrates sophisticated tradecraft, including the use of compromised WordPress sites and cloud-based Git repositories for infrastructure.", "published": "2024-09-02T18:55:21+00:00", "created_at": "2024-09-02T18:55:21+00:00", "modified_at": "2024-09-02T20:05:03+00:00", "created_at_opencti": "2024-09-02T18:55:21+00:00", "author": "", "confidence": null, "report_types": [], "labels": [], "tags": [ "2024-09-02", "dll sideloading", "globalprotect", "loader-for-rent", "seo poisoning", "wailingcrab", "wikiloader" ], "related_entities": { "observables": [ { "id": "", "name": "https://www.estudioemm.com/wp-content/themes/twentytwelve/d4kih3.php?id=1" }, { "id": "", "name": "https://jlholgado.com/wp-content/themes/twentytwentyfour/zca2ck.php?id=1" }, { "id": "", "name": "https://globalprotect.securedownload.today/GlobalProtect64.zip" }, { "id": "", "name": "https://globalprojectvpn.com" }, { "id": "", "name": "https://elpgtextil.com/wp-content/themes/twentytwentyfour/44snwx.php?id=1" }, { "id": "", "name": "https://carniceriamartinezadria.com/wp-content/themes/twentytwentyfour/rleoec.php?id=1" }, { "id": "", "name": "https://arbeitsschutz-mmk.de/plugins/search/contacts/chrndi.php?id=1" }, { "id": "", "name": "f04715827e5453b33ba6fae8475b8c45150b27cc1361441648c46d13025283d2" }, { "id": "", "name": "f1a49cea454bac3e78ac765b247b65d00c896d84de2028892b00d4310453c665" }, { "id": "", "name": "edec55f87e535f869119db44e4e7302081f53dbf33a27aaf905430cedc5a78b9" }, { "id": "", "name": "ec59616b1c80951d6597d4f25a9c031be0391151dc1073a5bece466473f0bdfe" }, { "id": "", "name": "e7e674218a7d93595e33a092f4f519a65499651a398ca350f5a50e135e64fa41" }, { "id": "", "name": "e693652763141522621f9fcd80efb30cefa363f8bd9bdc65e5ffbf9fb8d76d3b" }, { "id": "", "name": "e07787caf52dd3e7dd0da600dbd1d909f3799dcebcdc60d101baf3ea17ef1e32" }, { "id": "", "name": "d4eb9a4ee389f03c402e553724015af8d5b85835828bd66b1b45131b6837802f" }, { "id": "", "name": "c9eaaa6aee55704ce651c8b4cde7949cfa9711e05a136fa15f234d1bb2ea994c" }, { "id": "", "name": "c6c250e1cd6d5477b46871ffe17deac248d723ad45687fc54ae4fc5e3f45d91c" }, { "id": "", "name": "c3280452e7c96253b215342f2fac14634591adf68f88bcf7dc920d5f28022cd6" }, { "id": "", "name": "b412b2c190b8406392406d9a8e3abce91c9014950bcf835eb7d9b50d0f128cb0" }, { "id": "", "name": "abce298ebb4ac7bc1a5167179875afc88e7e99475bf681953e8b964237b7d7ed" }, { "id": "", "name": "a001642046a6e99ab2b412d96020a243a221e3819eaac94ab3251fad7d20614b" }, { "id": "", "name": "9a48f32e00877a4335206c7da45a94ca8bd46648d3a0bc88e0789dabf8139024" }, { "id": "", "name": "8d5e185d53e81e90646d684dff7cb399973e3cde6d833e6f7431074f4362139a" }, { "id": "", "name": "912cc2a3592b3b7835205d275cbf92bb66effc99cbd5cc338a223888de1b0d35" }, { "id": "", "name": "82ec4e1a6ddf6eeb4030d6dd698f4576d0445d4d5722d5c60b0cc74ac501bb85" }, { "id": "", "name": "78f6f94aaa72e41d64e4dc309a3553399db2b4cd0edae5653ca4b6e7839e1215" }, { "id": "", "name": "76d1a876c90ec16f44685f795e64ab84bd2d3f5a91db659c9879b3461ee104f9" }, { "id": "", "name": "6aa4a830aa8d89b629fe87d3d3e986042215b5bcd670417933fca854b6dd58d9" }, { "id": "", "name": "66735d0178badf035be0e142f4fb8e23d860bfc9bbdc3e12ad1f2764de91ee9b" }, { "id": "", "name": "69a94bbed366bfd917dfd8fb6e5fd7ba52e2dbf338edd0c259654981060943c8" }, { "id": "", "name": "5576ab87eb11ca4d2944bc1c2c6a8c349e18c7ded583c1ba9bd99eff9d8ac4d7" }, { "id": "", "name": "551da6814a01a280afe90aa6bb238f499d98ad496c0d8472a1705540a6f422da" }, { "id": "", "name": "534c989d110ece8c429d2ded913933b961710726d8655b858474bc31dfed25c3" }, { "id": "", "name": "4f573ab13882efa234a79483d305b3001cb09c0a166ff94c925844b860162415" }, { "id": "", "name": "4f2079cd2e228a2777df45ae00714c8679531fd8ad82a66b5c1b10e800771f18" }, { "id": "", "name": "4044a0d7a0ed7f66efc2bd13616ec63a5722fc7a73a28fe3bda513f60ef24dd9" }, { "id": "", "name": "2b8b3f5b692f716116a1468b8d7b273baf7a6cef0726e831cd307d2f2c7452ec" }, { "id": "", "name": "2add886330db1480da7314ee38428ca79af04f8c461c3bbbd68e202bb5f4c415" }, { "id": "", "name": "2ab449666cf006125075e3ded8053cdfd318e4772d4145f0fa861f1d42cb2b08" }, { "id": "", "name": "1d6f76acecff63fb373b5774a3cb34b87266a4a4bbb8e3a0757d107187d280ee" }, { "id": "", "name": "148b29123bb0c28614858460d7a10707469fecebd6a9ff1da98a0c76a89a9819" }, { "id": "", "name": "1c1d739f0282bfd9367e29ca81c61ed4a731e5150a836d0371e5e9d0121c9dfd" }, { "id": "", "name": "0de42118dd0cd861bea13de097457ccb407aae901b14e0bec59b0abe660cdf1f" }, { "id": "", "name": "0d495a94e29faa4dfded29253322be1b2c534a56c078bea1ad8f1dc1fd23b742" }, { "id": "", "name": "0c44a46f1c8e46fe6b6f83ec249c95301aca1bc4765cee7bdadd021bbfd2ff66" }, { "id": "", "name": "50810e4696dd075ca23349e3e1c3a87fc7b46ab89f4b1eb093a5cfb74f84cc51" } ], "malware": [ { "id": "79d56e93-8dba-4357-b510-7ce8d5680dad", "name": "WikiLoader", "slug": "wikiloader" }, { "id": "legacy:malware:dea332f7191d9140", "name": "WailingCrab", "slug": "wailingcrab" } ], "attack_patterns": [ { "id": "e8422fc8-8365-4a6a-a556-d6ec16cb4e5d", "name": "T1574.002" }, { "id": "e1b18ecf-d74e-4fe6-9bd4-ca6a62e7d818", "name": "T1027.002" }, { "id": "5999052b-e9ae-49e8-9235-d9bf975c22af", "name": "T1547.001" }, { "id": "32817170-4c07-427e-b8a5-80a733ae2550", "name": "T1497" }, { "id": "196f2a64-c55b-47a6-8e38-beb76ba700b6", "name": "T1204.002" }, { "id": "a7262c61-4567-4a00-8cec-aae6264234a9", "name": "T1218" }, { "id": "cbd87c8c-3bed-461a-acef-56ffc8b87571", "name": "T1105" }, { "id": "dc342445-1b78-48b4-aa06-89ed2ad7c28e", "name": "T1071" }, { "id": "870bd958-53a3-4d25-9f23-00aa8bd6674d", "name": "T1102" }, { "id": "c3af9fd7-d307-4df4-9220-cc627938fb85", "name": "T1055" }, { "id": "7d7ac733-6442-416f-8669-c302dd0843b9", "name": "T1036" }, { "id": "0156fcda-e385-4662-b388-086c3e16feec", "name": "T1140" }, { "id": "0c836307-129e-4ff7-a532-180c633cacba", "name": "T1027" }, { "id": "9b6064e6-a05b-4e95-baf5-34d180bc9221", "name": "T1059" } ], "others": [ { "id": "", "name": "United States of America" }, { "id": "", "name": "Transportation" }, { "id": "", "name": "Education" } ] }, "external_refs": [ "https://unit42.paloaltonetworks.com/global-protect-vpn-spoof-distributes-wikiloader", "https://otx.alienvault.com/pulse/66d626396c9854978e7a8fb9" ] }