unit42.paloaltonetworks.com
Open in
urlscan Pro
104.71.188.216
Public Scan
URL:
https://unit42.paloaltonetworks.com/global-protect-vpn-spoof-distributes-wikiloader/
Submission: On September 05 via api from US — Scanned from US
Submission: On September 05 via api from US — Scanned from US
Form analysis
2 forms found in the DOMName: Unit42_Subscribe — POST https://www.paloaltonetworks.com/apps/pan/public/formsubmithandler.submitform.json
<form action="https://www.paloaltonetworks.com/apps/pan/public/formsubmithandler.submitform.json" method="post" novalidate="" class="subscribe-form" name="Unit42_Subscribe" id="unit42footerSubscription_form">
<input type="hidden" name="emailFormMask" value="">
<input type="hidden" value="1086" name="formid">
<input type="hidden" value="531-OCS-018" name="munchkinId">
<input type="hidden" value="2141" name="lpId">
<input type="hidden" value="1203" name="programId">
<input type="hidden" value="1086" name="formVid">
<input type="hidden" name="mkto_optinunit42" value="true">
<input type="hidden" name="mkto_opt-in" value="true">
<div class="form-group">
<label for="newsletter-email" id="newsletter-email-label">Your Email</label>
<input type="emal" placeholder="Your Email" name="Email" class="subscribe-field" id="newsletter-email" aria-labelledby="newsletter-email-label">
<p class="error-mail mb-15 text-danger" style="color: #dc3545"></p>
<p>By submitting this form, you agree to our <a title="Terms of Use" href="https://www.paloaltonetworks.com/legal-notices/terms-of-use" data-page-track="true" data-page-track-value="Get updates from Unit 42:Terms of Use">Terms of Use</a> and
acknowledge our <a title="Privacy Statement" href="https://www.paloaltonetworks.com/legal-notices/privacy" data-page-track="true" data-page-track-value="Get updates from Unit 42:Privacy Statement">Privacy Statement.</a></p>
<div class="g-recaptcha" data-expired-callback="captchaExpires" data-callback="captchaComplete" data-sitekey="6Lc5EhgTAAAAAJa-DzE7EeWABasWg4LKv-R3ao6o"></div>
<p class="error-recaptcha d-none mt-15 text-danger" style="color: #dc3545">Invalid captcha!</p>
<button class="l-btn is-disabled" data-page-track="true" data-page-track-value="footer:Get updates from Unit 42:Subscribe" id="unit42footerSubscription_form_button"> Subscribe <img
src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/right-arrow.svg" alt="Right Arrow" class="arrow">
<img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-loader.svg" alt="loader" class="loader">
</button>
<div class="form-success-message"></div>
</div>
<input type="hidden" name="Company_From_IP__c" value="St Patricks Church of Elkhorn"><input type="hidden" name="Industry" value="Civic, Non-Profit and Membership Groups"><input type="hidden" name="Sub_Industry__c"
value="Religious Organizations"><input type="hidden" name="RL_Primary_Sic__c" value="8661"><input type="hidden" name="RL_Primary_Naics__c" value="8131"><input type="hidden" name="RL_Address__c" value="20500 W Maple Rd"><input type="hidden"
name="RL_City__c" value="Elkhorn"><input type="hidden" name="RL_State__c" value="NE"><input type="hidden" name="RL_ZIP_Postal_Code__c" value="68022-1103"><input type="hidden" name="RL_Country_from_IP__c" value="US"><input type="hidden"
name="RL_Phone__c" value="+1 402 289 4289"><input type="hidden" name="Website" value="stpatselkhorn.org"><input type="hidden" name="RL_Annual_Revenue_Range__c" value="$5M - $10M"><input type="hidden" name="RL_Employee_Range__c"
value="Small"><input type="hidden" name="Latitude_based_on_IP__c" value=""><input type="hidden" name="Longitude_based_on_IP__c" value=""><input type="hidden" name="IP_Address__c" value=""><input type="hidden" name="RL_Company_LegalName__c"
value="St Patricks Church of Elkhorn"><input type="hidden" name="RL_Provider__c" value="demandbase">
</form>
<form action="" onsubmit="LO.submit_chat(); return false;">
<div id="lo_chat_input" style="position:relative; width: 100%; ">
<div class="lo-fx-hr" style="height:0px; margin-bottom:0px; margin-top:0px; width:100%; border-top:1px solid #000000;border-bottom:1px solid #4f4f4f"></div>
<div style="padding:10px;"><label for="lo_chat_textarea" style="display:none">Chat Input Box</label><textarea id="lo_chat_textarea" disabled="disabled" rows="2"
style="color: black; background-color: rgb(255, 255, 255); border-radius: 5px; padding: 7px; height: auto; width: 100%; font-family: sans-serif; text-transform: none; resize: none;" dir="null" data-last-scroll-height="0"></textarea></div>
<div id="lo_chat_sound_holder" style="position:absolute; right:0px; top:-25px; width:100%;">
<div style="cursor: pointer; float:right; opacity:0.6; padding-right:10px; height:16px;" id="lo_chat_sound"><img alt="Click to mute chat sounds" src="https://d10lpsik1i8c69.cloudfront.net/graphics/sound-on-white.png"></div>
<div id="lo_chat_status" style="padding-left:10px; font-size:11px; color:#6d6d6d"></div>
<div style="clear:both;"></div>
</div>
</div>
</form>
Text Content
Menu * Tools * ATOMs * Security Consulting * About Us * Under Attack? * * About Unit 42 * Services Services Assess and Test Your Security Controls * AI Security Assessment * Attack Surface Assessment * Breach Readiness Review * BEC Readiness Assessment * Cloud Security Assessment * Compromise Assessment * Cyber Risk Assessment * M&A Cyber Due Diligence * Penetration Testing * Purple Team Exercises * Ransomware Readiness Assessment * SOC Assessment * Supply Chain Risk Assessment * Tabletop Exercises * Unit 42 Retainer Transform Your Security Strategy * IR Plan Development and Review * Security Program Design * Virtual CISO * Zero Trust Advisory Respond in Record Time * Cloud Incident Response * Digital Forensics * Incident Response * Managed Detection and Response * Managed Threat Hunting * Unit 42 Retainer UNIT 42 RETAINER Custom-built to fit your organization's needs, you can choose to allocate your retainer hours to any of our offerings, including proactive cyber risk management services. Learn how you can put the world-class Unit 42 Incident Response team on speed dial. Learn more * Unit 42 Threat Research Unit 42 Threat Research Unit 42 Threat Research * Threat Briefs and Assessments Details on the latest cyber threats * Tools Lists of public tools released by our team * Threat Reports Downloadable, in-depth research reports THREAT REPORT 2024 Unit 42 Incident Response Report Read now THREAT BRIEF Russia-Ukraine Cyberattacks: How to Protect Against Related Cyberthreats Including DDoS, HermeticWiper, Gamaredon, Website Defacement Learn more THREAT REPORT Highlights from the Unit 42 Cloud Threat Report, Volume 6 Learn more * Partners Partners Partners * Threat Intelligence Sharing * Law Firms and Insurance Providers THREAT REPORT 2022 Unit 42 Ransomware Threat Report: Understand trends and tactics to bolster defenses Learn more THREAT BRIEF Russia-Ukraine Cyberattacks: How to Protect Against Related Cyberthreats Including DDoS, HermeticWiper, Gamaredon, Website Defacement Learn more THREAT BRIEF Operation Falcon II: Unit 42 Helps Interpol Identify Nigerian Business Email Compromise Ring Members Learn more * Resources Resources Resources * Research Reports * Webinars * Customer Stories * Datasheets * Videos * Infographics * Whitepapers * Cyberpedia Industries * Financial Services * Healthcare * Manufacturing ANALYST REPORT Unit 42® has been named a Leader in “The Forrester Wave™: Cybersecurity Incident Response Services, Q2 2024.” Read the Forrester report to learn why. Get the report THREAT REPORT 2024 Unit 42 Incident Response Report: Get the latest threat insights and expert recommendations to safeguard your organization better. Learn more * * Under Attack? Search All * Tech Docs Close search modal * Threat Research Center * Threat Research * Malware Malware SPOOFED GLOBALPROTECT USED TO DELIVER UNIQUE WIKILOADER VARIANT 12 min read Related Products Advanced DNS SecurityAdvanced URL FilteringAdvanced WildFireCloud-Delivered Security ServicesCode to Cloud PlatformCortexCortex XDRManaged Threat HuntingPrisma CloudUnit 42 Incident Response * By: * Mark Lim * Tom Marsden * Published:2 September, 2024 at 3:00 AM PDT * Categories: * Malware * Threat Research * Tags: * DLL Sideloading * Emotet * Evasion * Loader as a service * Malvertising * SEO poisoning * Spoof * WailingCrab * WikiLoader * * Share * * * * * * * EXECUTIVE SUMMARY The Unit 42 Managed Threat Hunting team (MTH) identified a variant of WikiLoader loader for rent (aka WailingCrab) being delivered via SEO poisoning and spoofing our GlobalProtect VPN software. Analysis conducted by the Advanced WildFire reverse engineering team has uncovered the latest evasion techniques for WikiLoader, providing new insights into its evolution. We provide multiple XQL queries for Cortex XDR to hunt for this WikiLoader campaign. We also provide hashes that identify samples found in the wild as well as command and control (C2) URLs extracted from the original sample that spoofed GlobalProtect. Palo Alto Networks customers are better protected from the threats discussed in this article through detection mechanisms available from the following products: * Cortex XDR * Next-Generation Firewall with Cloud-Delivered Security Services * Advanced WildFire * Advanced DNS Security * Advanced URL Filtering * The Prisma Cloud Cloud Security Agent (CSA) Additionally, Google has confirmed that all sites mentioned in this article are known to Safe Browsing. Any user that visits these sites will receive a warning of potential security risks. Related Unit 42 Topics Malvertising, DLL Sideloading OVERVIEW OF TRADECRAFT USED BY WIKILOADER IN CAMPAIGNS SPOOFING GLOBALPROTECT WikiLoader is a multistage malware loader that adversaries developed with consideration toward evasion. Our industry partners have documented this threat well. As such, we’ll focus on the specific tradecraft we observed related to campaigns spoofing GlobalProtect, anti-analysis techniques employed by the loader and resources for threat hunters. Proofpoint has reported WikiLoader has been active since at least late 2022. They also noted that phishing was initially the primary means of delivery. Its operators used compromised WordPress sites and public MQ Telemetry Transport (MQTT) brokers for C2. We have not observed the follow-on payloads from complete WikiLoader infections. However, Proofpoint reported attackers used the threat to deliver banking Trojans such as Danabot and Ursnif/Gozi to organizations based in Italy. In June 2024, we observed a WikiLoader campaign leveraging GlobalProtect themed SEO poisoning, rather than using previously documented phishing tactics. SEO poisoning is the process of getting an attacker-controlled site on the front page of search engine results for a legitimate product through purchasing advertisements or improving page rank. Attackers commonly use SEO poisoning as an initial access vector to trick people into visiting a page that spoofs the legitimate search result to deliver malware rather than the searched-for product. This campaign’s delivery infrastructure leveraged cloned websites relabeled as GlobalProtect along with cloud-based Git repositories. Unit 42 primarily observed WikiLoader affecting the U.S. higher education and transportation sectors. However, the use of SEO poisoning for delivery almost certainly broadens the scope of possible victims as compared to phishing. WikiLoader is a loader for rent, which is suspected to be leveraged by at least two initial access brokers (IABs). Attribution for this specific campaign requires further research. However, we do make the following observations. * Campaigns leveraging WikiLoader and spoofing GlobalProtect have shown reasonable regard for evasion * The threat operators show an awareness of simple techniques that, when executed well, make machine and signature-based detection of such threats difficult Such OPSEC considerations include: * Using the MQTT internet of things (IoT) event queue protocol for C2 * Typosquatting and spoofing download pages modified to deliver WikiLoader throughout the life of a campaign * Using legitimate sites running vulnerable, third-party WordPress plugins as C2 infrastructure * Using cloud-hosted Git solutions to host malicious content * Using legitimate, signed binaries for sideloading WikiLoader * Using common file names associated with security tooling, where allowlistings in security products would reduce detection and response efficacy * Embedding payloads in seemingly benign file names and types * Hiding attributes for all files except the file that receives user interaction * Encrypting shellcode that is stored in separate binaries from the WikiLoader executables * Decrypting keys for shellcode that operators stored in the C2 servers * Performing multiple anti-analysis checks * Displaying fake error messages on execution Figure 1 provides a summary of the infection chain. Figure 1. Attack diagram from the delivery through WikiLoader backdoor Execution. Source: Inspired by attack flow detailed in AhnLab blog, "'Totally Unexpected' Package Malware Using Modified Notepad++ Plug-in (WikiLoader)." DELIVERY AND EXECUTION The following section details the execution of WikiLoader as delivered through GlobalProtect-based SEO poisoning. The advertisements we observed linked to multiple fake sites serving spoofed GlobalProtect installers. Figure 2 shows a malicious advertisement that attackers used to lure victims to a spoofed GlobalProtect download page. Figure 2. Google ad linked to the websites to download spoofed GlobalProtect. The first site is a clone of a legitimate business that fetches the malicious payload upon download shown in Figure 3. Bitbucket took the site offline when we notified them of it. Figure 3. A cloned website that directs users to download the spoofed GlobalProtect installer hosted on Bitbucket. The second site shown in Figure 4 is a site that spoofs the GlobalProtect client download page. Figure 4. A cloned GlobalProtect page that directs users to download spoofed GlobalProtect installers. Upon download, Cortex XDR shows the following information associated with Chrome where the sample is enriched with Mark of the Web (MotW) data as shown in Figure 5. MotW is a security feature in Windows that adds metadata to files downloaded from the internet to indicate a potentially unsafe source. Analysts can use this information to assist in understanding the source of a file, and where someone may have been browsing before downloading the file. Figure 5. File write and read of the GlobalProtect64.zip file enriched with MotW data streams indicating one of the download URLs in the File Origin text area. Figure 6 shows how the sample appears to the victim. The sample only shows a single file in the folder. Figure 6. The contents of GlobalProtect64.zip following extraction as viewed by a user. Figure 7 shows that when viewing all the hidden files and folders, there are more than 400 files. Figure 7. The contents of GlobalProtect64.zip following extraction, showing hidden items. Figure 8 shows what we see when viewing all files in the archive and checking the signer. GlobalProtect64.exe is a renamed copy of a legitimate share trading application that attackers used to sideload the first WikiLoader component. Figure 8. A screenshot of Cortex XDR showing a copy of the trading platform renamed as GlobalProtect64.exe being abused to sideload the first WikiLoader loader component (i4jinst.dll) upon execution. Figure 9 shows that upon execution of GlobalProtect64.exe, the threat loads the first WikiLoader component i4jinst.dll, located inside the directory .install4j. Figure 9. A screenshot of Cortex XDR events associated with spoofed GlobalProtect64.exe. The i4jinst.dll Load Image event causes the malicious module to be loaded into the binary spoofing GlobalProtect64.exe. Once loaded, i4jinst.dll reads the first stage encrypted shellcode from certificate.pem. It then decrypts the shellcode and injects it into explorer.exe. This includes the following discrete actions: 1. The decrypted certificate.pem contains the first stage shellcode that is executed 2. The shellcode loads C:\Windows\System32\BingMaps.dll 3. The function GetBingMapsFactory is then overwritten with another shellcode decrypted from certificate.pem 4. The overwritten shellcode then carries out thread injection into the explorer.exe process At this point in the infection chain, Cortex’s shellcode prevention raised alerts as shown in Figure 10. Figure 10. Cortex shellcode protection prevents the injection from the malicious process into explorer.exe. If unprevented, the injected code in explorer.exe will contact a compromised site running WordPress CMS as a C2 server for the WikiLoader backdoor. It will then establish persistence and communicate with MQTT brokers for tasking. The injected code will load license_us_EN.html. In the GlobalProtect spoofing campaign, license_us_EN.html is a renamed copy of the AdInsight.exe Microsoft Sysinternals binary. License_us_EN.html will side load the WikiLoader backdoor downloaded from the C2 server. Upon establishing persistence, AdInsight.exe (renamed to license_us_EN.html) will be renamed again to a random filename. This file will be written into a randomly named folder in ProgramData along with a randomly named file with the extension .pem and the WikiLoader backdoor as a .dll. This process is shown in Figure 11. Figure 11. Files contained in a randomly named directory when WikiLoader writes persistence components to disk. In testing environments where shellcode protection was disabled, Cortex XDR still generated an analytic behavioral indicator of compromise (BIOC) detection for the unusual creation of a scheduled task created by explorer.exe following the shellcode injection. In summary, the infection chain is as follows: 1. Malicious behaviors begin when the victim launches GlobalProtect64.exe and this file then loads i4jinst.dll (located inside .install4j) 2. Once loaded, i4jinst.dll will read and decrypt the contents of the file certificate.pem 3. The decrypted certificate.pem contains the first stage shellcode that the threat executes 4. The shellcode loads C:\Windows\System32\BingMaps.dll 5. The function GetBingMapsFactory is then overwritten with another shellcode decrypted from certificate.pem 6. The overwritten shellcode then carries out thread injection into the explorer.exe process 7. The injected code in the explorer.exe process will contact the C2 server for the WikiLoader backdoor 8. If persisting, the threat will write license_us_EN.html and another file with extension .pem to a randomly named folder in ProgramData along with the WikiLoader backdoor as a .dll 9. The threat will establish persistence via a scheduled task to execute the renamed license_us_EN.html 10. The injected code will read and execute a hidden PE file from license_us_EN.html 11. License_us_EN.html will side load the WikiLoader backdoor downloaded from the C2 server 12. The backdoor will decrypt the shellcode encrypted in the randomly named file with extension .pem. The decryption key is the name of the folder where the backdoor is located. We have added additional protections to Cortex, and we share a collection of hunting rules written in XQL at the end of this post. HIGHLIGHTING WIKILOADER ANTI-ANALYSIS AND DEFENSE EVASION The following are some unique tricks that this sample of WikiLoader used. FAKE ERROR MESSAGE As the spoofed GlobalProtect installer is not an actual installer, the authors of WikiLoader needed another trick to fool victims. The threat shows a fake error message when it completes infection of the victim machine. This prevents the victim from wondering why GlobalProtect is not installed. Figure 12 shows the fake error message generated by the sample. Figure 12. Fake error message displayed when the sample completes infection RENAMED LEGITIMATE SOFTWARE USED FOR SIDE-LOADING BACKDOOR Attackers renamed the Microsoft Sysinternals tool ADInsight.exe to license_us_EN.html, and hid it inside the spoofed GlobalProtect installer. ADInsight.exe is used to side load the WikiLoader backdoor. Figure 13 shows the contents of license_us_EN.html. Figure 13. Hex dump of license_us_EN.html showing it is a PE file. CHECKS FOR ANALYSIS ENVIRONMENTS The sample checks the running processes in the victim machine against a list of hashes of software commonly used by malware analysts. As most malware analysts would be using a virtualized environment to analyze malware samples, the WikiLoader sample will terminate if it finds processes related to virtual machine software. To hide the list of processes that WikiLoader is looking for, the malware uses a 32-bit hashing routine similar to those used by Emotet back in 2021. Figure 14 shows the hashing routine used by this WikiLoader sample. Figure 14. Hashing routine used to obfuscate the analysis processes from above. FOLDER NAME AS DECRYPTION KEY FOR THE BACKDOOR The backdoor is encrypted using the CryptUnprotectData API. This sample of WikiLoader used the folder name (RamDQ) as the decryption key for its backdoor. Figure 15 shows the folder named RamDQ, which contained the encrypted backdoor 1FoWZv.pem and the executables (s2VT3.exe and version.dll) required to decrypt and execute the backdoor. Figure 15. Screenshot showing CryptUnprotectData being passed the folder name, ultimately to be used to decrypt the shellcode in 1FoWZv.pem. CONCLUSION Financially motivated threat actors will continue to use WikiLoader as a loader for rent in a variety of campaigns where they require a robust, stealthy Windows loader that pays reasonable attention to OPSEC. What remains to be seen is why threat actors have shifted from phishing to SEO poisoning to deliver WikiLoader. One hypothesis is that another initial access broker (IAB) has begun to work with WikiLoader to operationalize its delivery through SEO poisoning in recent months. Alternatively, groups that are publicly tracked using WikiLoader could have shifted to SEO poisoning from phishing after an improvement in endpoint security controls or industry reporting disrupted their operations. While SEO poisoning is not a new technique, it continues to be an effective way to deliver a loader to an endpoint. Spoofing trusted security software is likely to assist in bypassing endpoint controls at organizations that rely on filename based allow listing. The combination of spoofed, compromised and legitimate infrastructure leveraged by WikiLoader campaigns reinforces the malware authors attention to building an operationally secure and robust loader, with multiple C2 configurations. The authors suspect that we will likely see continued WikiLoader use throughout 2024 and beyond. Regardless of the anti-analysis and EDR evasion techniques employed by WikiLoader, the procedures employed can be identified using many common endpoint threat hunting methods. We share a selection of four queries in our appendix that organizations can use to hunt for WikiLoader with high fidelity in endpoint data. The queries can be expanded in scope with minimal changes from XQL users to cast a wider net, or narrow in on threats that may be more applicable to an organization’s environment. Google has confirmed that all sites mentioned in this article are known to Safe Browsing. Any user that visits these sites will receive a warning of potential security risks. PALO ALTO NETWORKS PROTECTION AND MITIGATION Palo Alto Networks customers are better protected from the threats discussed above through the following products: * Next-Generation Firewall with Cloud-Delivered Security Services, including Advanced WildFire, detect the files mentioned within this report as malicious. Additionally Advanced URL Filtering and Advanced DNS Security identify known URLs and domains associated with this activity as malicious. * Cortex XDR customers are better protected against the sideloads and shellcode injection attempts mentioned in the article. Cortex XDR detects and prevents these malware activities based on Behavioral Threat Protection, AI-driven local analysis, analytics profiles and other security engines across Windows, Linux and Mac systems. * Prisma Cloud can detect known WikiLoader binaries executed from within cloud environments through the Cloud Security Agent (CSA). If you think you may have been compromised or have an urgent matter, get in touch with the Unit 42 Incident Response team or call: * North America Toll-Free: 866.486.4842 (866.4.UNIT42) * EMEA: +31.20.299.3130 * APAC: +65.6983.8730 * Japan: +81.50.1790.0200 Palo Alto Networks has shared these findings with our fellow Cyber Threat Alliance (CTA) members. CTA members use this intelligence to rapidly deploy protections to their customers and to systematically disrupt malicious cyber actors. Learn more about the Cyber Threat Alliance. XQL HUNTING QUERIES Explorer.exe communicating with MQTT brokers // Description: Communication to known MQTT broker services from explorer.exe. Observed samples have communicated with MQTT brokers over over plaintext or encrypted TCP ports, not using websockets. Typically these are TCP 1883,8883,8884 config case_sensitive = false | dataset=xdr_data | filter event_type = ENUM.STORY | filter dst_action_external_hostname in ("broker.emqx.io","broker-cn.emqx.io","mqtt.eclipseprojects.io","test.mosquitto.org","broker.hivemq.com","*mqtt.one","*iotbind.com") and actor_process_image_name = "explorer.exe" and action_remote_port not in (53,80,443) | fields _time, agent_hostname, agent_ip_addresses, actor_effective_username, actor_process_image_name, actor_process_image_path, dst_action_external_hostname, action_remote_port, action_remote_ip 1 2 3 4 5 6 7 8 9 10 11 // Description: Communication to known MQTT broker services from explorer.exe. Observed samples have communicated with MQTT brokers over over plaintext or encrypted TCP ports, not using websockets. Typically these are TCP 1883,8883,8884 config case_sensitive = false | dataset=xdr_data | filter event_type = ENUM.STORY | filter dst_action_external_hostname in ("broker.emqx.io","broker-cn.emqx.io","mqtt.eclipseprojects.io","test.mosquitto.org","broker.hivemq.com","*mqtt.one","*iotbind.com") and actor_process_image_name = "explorer.exe" and action_remote_port not in (53,80,443) | fields _time, agent_hostname, agent_ip_addresses, actor_effective_username, actor_process_image_name, actor_process_image_path, dst_action_external_hostname, action_remote_port, action_remote_ip Common DLL sideload targets (step 8 in infection chain) // Description: Processes that have have written 2 PEs, one must be a .exe, and the // other a .dll with a name commonly abused for search order hijacking. config case_sensitive = false | dataset = xdr_data // Get DLL and Exe writes excluding users and program files directories. | filter event_type = ENUM.FILE and event_sub_type in (ENUM.FILE_WRITE, ENUM.FILE_CREATE_NEW) and action_file_extension IN ("dll","exe") and action_file_path !~= "C\:\\(?:Users|Program\sFiles(\s\(x86\))?)\\.*" // Collate the file writes by the actor (writing) process | comp count_distinct(action_file_path) as cnt_pe_written, count_distinct(action_file_extension) as cnt_pe_extensions, count_distinct(action_file_signature_status) as cnt_pe_sig_status, values(action_file_path) as pe_written, values(action_file_signature_status) as action_file_signature_status, values(action_file_signature_vendor) as action_file_signature_vendor, values(action_file_signature_product) as action_file_signature_product, values(actor_effective_username) as username, values(action_file_sha256) as action_file_sha256, values(_time) as time, values(actor_process_command_line) as command_line, values(action_file_name) as pe_written_name, values(agent_hostname) as agent_hostname by actor_process_instance_id // Filter out those that have only written 1 Exe and 1 DLL, with a DLL using a known abused name | filter cnt_pe_written=2 and cnt_pe_extensions=2 and pe_written_name ~= "^(?:vcruntime140|vcruntime|oci|version|msfte|secur32|nw|rw32core|iphlpapi|wininet)\.dll" | filter pe_written_name not in ("*cortex-xdr-payload*","*xdrhealth.exe*","*winpty-agent.exe*") 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 // Description: Processes that have have written 2 PEs, one must be a .exe, and the // other a .dll with a name commonly abused for search order hijacking. config case_sensitive = false | dataset = xdr_data // Get DLL and Exe writes excluding users and program files directories. | filter event_type = ENUM.FILE and event_sub_type in (ENUM.FILE_WRITE, ENUM.FILE_CREATE_NEW) and action_file_extension IN ("dll","exe") and action_file_path !~= "C\:\\(?:Users|Program\sFiles(\s\(x86\))?)\\.*" // Collate the file writes by the actor (writing) process | comp count_distinct(action_file_path) as cnt_pe_written, count_distinct(action_file_extension) as cnt_pe_extensions, count_distinct(action_file_signature_status) as cnt_pe_sig_status, values(action_file_path) as pe_written, values(action_file_signature_status) as action_file_signature_status, values(action_file_signature_vendor) as action_file_signature_vendor, values(action_file_signature_product) as action_file_signature_product, values(actor_effective_username) as username, values(action_file_sha256) as action_file_sha256, values(_time) as time, values(actor_process_command_line) as command_line, values(action_file_name) as pe_written_name, values(agent_hostname) as agent_hostname by actor_process_instance_id // Filter out those that have only written 1 Exe and 1 DLL, with a DLL using a known abused name | filter cnt_pe_written=2 and cnt_pe_extensions=2 and pe_written_name ~= "^(?:vcruntime140|vcruntime|oci|version|msfte|secur32|nw|rw32core|iphlpapi|wininet)\.dll" | filter pe_written_name not in ("*cortex-xdr-payload*","*xdrhealth.exe*","*winpty-agent.exe*") Processes executing as GlobalProtect without a parsed Palo Alto Networks certificate. // Description: A signed process starts with GlobalProtect or PanGP in the image name, but is not signed by a known Palo Alto Networks certificate. config case_sensitive = false | dataset=xdr_data | filter event_type IN (ENUM.PROCESS) and event_sub_type = ENUM.PROCESS_START | filter (action_process_image_name contains "GlobalProtect" or action_process_image_name contains "PanGP") and action_process_signature_vendor not in ("Palo Alto Networks","Palo Alto Networks (Netherlands) B.V.","Developer ID Application: Palo Alto Networks (PXPZ95SK77)","Palo Alto Networks, Inc") and action_process_signature_status=ENUM.SIGNED | fields _time, agent_hostname, actor_effective_username, action_process_image_path , action_process_image_command_line , action_process_image_sha256, action_process_signature_status, action_process_signature_vendor, action_process_signature_product, action_process_image_sha256, actor_process_image_path , os_actor_process_command_line, causality_actor_process_command_line 1 2 3 4 5 6 7 8 9 10 11 // Description: A signed process starts with GlobalProtect or PanGP in the image name, but is not signed by a known Palo Alto Networks certificate. config case_sensitive = false | dataset=xdr_data | filter event_type IN (ENUM.PROCESS) and event_sub_type = ENUM.PROCESS_START | filter (action_process_image_name contains "GlobalProtect" or action_process_image_name contains "PanGP") and action_process_signature_vendor not in ("Palo Alto Networks","Palo Alto Networks (Netherlands) B.V.","Developer ID Application: Palo Alto Networks (PXPZ95SK77)","Palo Alto Networks, Inc") and action_process_signature_status=ENUM.SIGNED | fields _time, agent_hostname, actor_effective_username, action_process_image_path , action_process_image_command_line , action_process_image_sha256, action_process_signature_status, action_process_signature_vendor, action_process_signature_product, action_process_image_sha256, actor_process_image_path , os_actor_process_command_line, causality_actor_process_command_line Review ZIP files with GlobalProtect naming that have Mark of the Web applied for suspicious download sources // Description: Delivery via .zip files is common, display those that were downloaded with Mark of the Web data. config case_sensitive = false | dataset=xdr_data | filter event_type=ENUM.FILE and event_sub_type IN (ENUM.FILE_OPEN, ENUM.FILE_CREATE_NEW) | filter action_file_extension="zip" and action_file_path ~= "Downloads|Appdata" and action_file_name contains "GlobalProtect" and not action_file_name contains "GlobalProtectLogs" | fields _time, event_sub_type, agent_hostname, actor_effective_username, action_file_name, action_file_path, action_file_web_mark, action_file_sha256 , actor_process_image_name, actor_process_image_sha256 1 2 3 4 5 6 7 8 9 10 11 // Description: Delivery via .zip files is common, display those that were downloaded with Mark of the Web data. config case_sensitive = false | dataset=xdr_data | filter event_type=ENUM.FILE and event_sub_type IN (ENUM.FILE_OPEN, ENUM.FILE_CREATE_NEW) | filter action_file_extension="zip" and action_file_path ~= "Downloads|Appdata" and action_file_name contains "GlobalProtect" and not action_file_name contains "GlobalProtectLogs" | fields _time, event_sub_type, agent_hostname, actor_effective_username, action_file_name, action_file_path, action_file_web_mark, action_file_sha256 , actor_process_image_name, actor_process_image_sha256 INDICATORS OF COMPROMISE These indicators were active throughout June 2024. Delivery URLs * URL: hxxps://globalprotect[.]securedownload[.]today/GlobalProtect64.zip Description: URL serving archive impersonating GlobalProtect. * URL: hxxps://globalprojectvpn[.]com Description: Fake GlobalProtect site that delivers fake GlobalProtect64.zip * URL: hxxps://globalprojectvpn[.]com Description: Fake GlobalProtect site that pulled from a Bitbucket project to deliver fake GlobalProtect64.zip * URL: hxxps://bitbucket[.]org/bitprotect/globalproject/src/main/ Description: Bitbucket project that hosted fake GlobalProtect64.zip WikiLoader C2 URLs * hxxps://carniceriamartinezadria.com/wp-content/themes/twentytwentyfour/rleoec.php?id=1 * hxxps://jlholgado.com/wp-content/themes/twentytwentyfour/zca2ck.php?id=1 * hxxps://elpgtextil.com/wp-content/themes/twentytwentyfour/44snwx.php?id=1 * hxxps://arbeitsschutz-mmk.de/plugins/search/contacts/chrndi.php?id=1 * hxxps://www.estudioemm.com/wp-content/themes/twentytwelve/d4kih3.php?id=1 Description: C2 providing the decryption key to the payload of the WikiLoader sample SHA-256 hashes for WikiLoader shellcode loader DLLs * d4eb9a4ee389f03c402e553724015af8d5b85835828bd66b1b45131b6837802f * 534c989d110ece8c429d2ded913933b961710726d8655b858474bc31dfed25c3 * a001642046a6e99ab2b412d96020a243a221e3819eaac94ab3251fad7d20614b * c6c250e1cd6d5477b46871ffe17deac248d723ad45687fc54ae4fc5e3f45d91c * f1a49cea454bac3e78ac765b247b65d00c896d84de2028892b00d4310453c665 * 2ab449666cf006125075e3ded8053cdfd318e4772d4145f0fa861f1d42cb2b08 * 1d6f76acecff63fb373b5774a3cb34b87266a4a4bbb8e3a0757d107187d280ee * b412b2c190b8406392406d9a8e3abce91c9014950bcf835eb7d9b50d0f128cb0 * 66735d0178badf035be0e142f4fb8e23d860bfc9bbdc3e12ad1f2764de91ee9b * edec55f87e535f869119db44e4e7302081f53dbf33a27aaf905430cedc5a78b9 * 148b29123bb0c28614858460d7a10707469fecebd6a9ff1da98a0c76a89a9819 * 0de42118dd0cd861bea13de097457ccb407aae901b14e0bec59b0abe660cdf1f * 5576ab87eb11ca4d2944bc1c2c6a8c349e18c7ded583c1ba9bd99eff9d8ac4d7 * 551da6814a01a280afe90aa6bb238f499d98ad496c0d8472a1705540a6f422da * 4f573ab13882efa234a79483d305b3001cb09c0a166ff94c925844b860162415 * 4f2079cd2e228a2777df45ae00714c8679531fd8ad82a66b5c1b10e800771f18 * 2add886330db1480da7314ee38428ca79af04f8c461c3bbbd68e202bb5f4c415 * 76d1a876c90ec16f44685f795e64ab84bd2d3f5a91db659c9879b3461ee104f9 * 6aa4a830aa8d89b629fe87d3d3e986042215b5bcd670417933fca854b6dd58d9 * 1c1d739f0282bfd9367e29ca81c61ed4a731e5150a836d0371e5e9d0121c9dfd * 69a94bbed366bfd917dfd8fb6e5fd7ba52e2dbf338edd0c259654981060943c8 * 9a48f32e00877a4335206c7da45a94ca8bd46648d3a0bc88e0789dabf8139024 * c3280452e7c96253b215342f2fac14634591adf68f88bcf7dc920d5f28022cd6 * 0c44a46f1c8e46fe6b6f83ec249c95301aca1bc4765cee7bdadd021bbfd2ff66 * 2b8b3f5b692f716116a1468b8d7b273baf7a6cef0726e831cd307d2f2c7452ec * e07787caf52dd3e7dd0da600dbd1d909f3799dcebcdc60d101baf3ea17ef1e32 * 50810e4696dd075ca23349e3e1c3a87fc7b46ab89f4b1eb093a5cfb74f84cc51 * 912cc2a3592b3b7835205d275cbf92bb66effc99cbd5cc338a223888de1b0d35 * f04715827e5453b33ba6fae8475b8c45150b27cc1361441648c46d13025283d2 * e693652763141522621f9fcd80efb30cefa363f8bd9bdc65e5ffbf9fb8d76d3b * 8d5e185d53e81e90646d684dff7cb399973e3cde6d833e6f7431074f4362139a * ec59616b1c80951d6597d4f25a9c031be0391151dc1073a5bece466473f0bdfe * e7e674218a7d93595e33a092f4f519a65499651a398ca350f5a50e135e64fa41 * 78f6f94aaa72e41d64e4dc309a3553399db2b4cd0edae5653ca4b6e7839e1215 * abce298ebb4ac7bc1a5167179875afc88e7e99475bf681953e8b964237b7d7ed * 82ec4e1a6ddf6eeb4030d6dd698f4576d0445d4d5722d5c60b0cc74ac501bb85 * 0d495a94e29faa4dfded29253322be1b2c534a56c078bea1ad8f1dc1fd23b742 SHA-256 hashes for WikiLoader backdoor * 4044a0d7a0ed7f66efc2bd13616ec63a5722fc7a73a28fe3bda513f60ef24dd9 * c9eaaa6aee55704ce651c8b4cde7949cfa9711e05a136fa15f234d1bb2ea994c ADDITIONAL RESOURCES * Threat Actors Target the Middle East Using Fake Palo Alto GlobalProtect Tool – Trend Micro * X thread on spoof of GlobalProtext– @malwrhunterteam, X * Protection Highlight: WikiLoader Returns – Broadcom * 20mb zip drop via discord – @pr0xylife, X * Stealthy WailingCrab Malware misuses MQTT Messaging Protocol – Security Intelligence, IBM Updated Sept. 4, 2024, at 1:20 p.m. PT to include clarifying language from Google. Back to top TAGS * DLL Sideloading * Emotet * Evasion * Loader as a service * Malvertising * SEO poisoning * Spoof * WailingCrab * WikiLoader Threat Research Center Next: TLD Tracker: Exploring Newly Released Top-Level Domains TABLE OF CONTENTS * * Executive Summary * Overview of Tradecraft Used by WikiLoader in Campaigns Spoofing GlobalProtect * * Delivery and Execution * Highlighting WikiLoader Anti-Analysis and Defense Evasion * Fake Error Message * Renamed Legitimate Software Used for Side-Loading Backdoor * Checks for Analysis Environments * Folder Name as Decryption Key for the Backdoor * Conclusion * Palo Alto Networks Protection and Mitigation * XQL Hunting Queries * Indicators of Compromise * Additional Resources RELATED ARTICLES * DarkGate: Dancing the Samba With Alluring Excel Files * Dissecting GootLoader With Node.js * Payload Trends in Malicious OneNote Samples RELATED MALWARE RESOURCES Threat Research ATTACKERS EXPLOITING PUBLIC COBALT STRIKE PROFILES * Cobalt Strike * Malleable C2 profile Read now Threat Research OPERATION DIPLOMATIC SPECTER: AN ACTIVE CHINESE CYBERESPIONAGE CAMPAIGN LEVERAGES RARE TOOL SET TO TARGET GOVERNMENTAL ENTITIES IN THE MIDDLE EAST, AFRICA AND ASIA * Advanced Persistent Threat * Backdoor * China Read now Threat Research PAYLOAD TRENDS IN MALICIOUS ONENOTE SAMPLES * Malvertising * Microsoft OneNote * Phishing Read now Threat Actor Groups FIGHTING URSA LURING TARGETS WITH CAR FOR SALE * Advanced Persistent Threat * APT28 * Fancy Bear Read now Threat Research SCAM ATTACKS TAKING ADVANTAGE OF THE POPULARITY OF THE GENERATIVE AI WAVE * ChatGPT * GenAI * Cybersquatting Read now Threat Research ACCELERATING ANALYSIS WHEN IT MATTERS * Remote Access Trojan * Memory detection * Redline infostealer Read now Threat Research BEWARE OF BADPACK: ONE WEIRD TRICK BEING USED AGAINST ANDROID DEVICES * Android APK * APK * Cerberus trojan Read now Threat Research DARKGATE: DANCING THE SAMBA WITH ALLURING EXCEL FILES * Sandbox * Microsoft Excel * Malware-as-a-service Read now Threat Research DISSECTING GOOTLOADER WITH NODE.JS * Sandbox * Memory detection * Anti-analysis Read now Threat Research ATTACKERS EXPLOITING PUBLIC COBALT STRIKE PROFILES * Cobalt Strike * Malleable C2 profile Read now Threat Research OPERATION DIPLOMATIC SPECTER: AN ACTIVE CHINESE CYBERESPIONAGE CAMPAIGN LEVERAGES RARE TOOL SET TO TARGET GOVERNMENTAL ENTITIES IN THE MIDDLE EAST, AFRICA AND ASIA * Advanced Persistent Threat * Backdoor * China Read now Threat Research PAYLOAD TRENDS IN MALICIOUS ONENOTE SAMPLES * Malvertising * Microsoft OneNote * Phishing Read now Threat Actor Groups FIGHTING URSA LURING TARGETS WITH CAR FOR SALE * Advanced Persistent Threat * APT28 * Fancy Bear Read now Threat Research SCAM ATTACKS TAKING ADVANTAGE OF THE POPULARITY OF THE GENERATIVE AI WAVE * ChatGPT * GenAI * Cybersquatting Read now Threat Research ACCELERATING ANALYSIS WHEN IT MATTERS * Remote Access Trojan * Memory detection * Redline infostealer Read now Threat Research BEWARE OF BADPACK: ONE WEIRD TRICK BEING USED AGAINST ANDROID DEVICES * Android APK * APK * Cerberus trojan Read now Threat Research DARKGATE: DANCING THE SAMBA WITH ALLURING EXCEL FILES * Sandbox * Microsoft Excel * Malware-as-a-service Read now Threat Research DISSECTING GOOTLOADER WITH NODE.JS * Sandbox * Memory detection * Anti-analysis Read now Threat Research ATTACKERS EXPLOITING PUBLIC COBALT STRIKE PROFILES * Cobalt Strike * Malleable C2 profile Read now Threat Research OPERATION DIPLOMATIC SPECTER: AN ACTIVE CHINESE CYBERESPIONAGE CAMPAIGN LEVERAGES RARE TOOL SET TO TARGET GOVERNMENTAL ENTITIES IN THE MIDDLE EAST, AFRICA AND ASIA * Advanced Persistent Threat * Backdoor * China Read now Threat Research PAYLOAD TRENDS IN MALICIOUS ONENOTE SAMPLES * Malvertising * Microsoft OneNote * Phishing Read now * * Get updates from Unit 42 PEACE OF MIND COMES FROM STAYING AHEAD OF THREATS. CONTACT US TODAY. Your Email By submitting this form, you agree to our Terms of Use and acknowledge our Privacy Statement. Invalid captcha! Subscribe PRODUCTS AND SERVICES * Network Security Platform * CLOUD DELIVERED SECURITY SERVICES * Advanced Threat Prevention * DNS Security * Data Loss Prevention * IoT Security * Next-Generation Firewalls * Hardware Firewalls * Strata Cloud Manager * SECURE ACCESS SERVICE EDGE * Prisma Access * Prisma SD-WAN * Autonomous Digital Experience Management * Cloud Access Security Broker * Zero Trust Network Access * Code to Cloud Platform * Prisma Cloud * Cloud-Native Application Protection Platform * AI-Driven Security Operations Platform * Cortex XDR * Cortex XSOAR * Cortex Xpanse * Cortex XSIAM * External Attack Surface Protection * Security Automation * Threat Prevention, Detection & Response * Threat Intel and Incident Response Services * Proactive Assessments * Incident Response * Transform Your Security Strategy * Discover Threat Intelligence COMPANY * About Us * Careers * Contact Us * Corporate Responsibility * Customers * Investor Relations * Location * Newsroom POPULAR LINKS * Blog * Communities * Content Library * Cyberpedia * Event Center * Manage Email Preferences * Products A-Z * Product Certifications * Report a Vulnerability * Sitemap * Tech Docs * Unit 42 * Do Not Sell or Share My Personal Information * Privacy * Trust Center * Terms of Use * Documents Copyright © 2024 Palo Alto Networks. All Rights Reserved * * * * * EN * Select your language * USA (ENGLISH) Your browser does not support the video tag. DEFAULT HEADING Read the article Seekbar Volume This site uses cookies essential to its operation, for analytics, and for personalized content and ads. By continuing to browse this site, you acknowledge the use of cookies. Privacy statement Manage My Cookie Settings Your Opt Out Preference Signal is Honored PRIVACY PREFERENCE CENTER When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer. More information on cookie consent Allow All MANAGE YOUR CONSENT PREFERENCES STRICTLY NECESSARY COOKIES Always Active These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information. PERFORMANCE COOKIES Performance Cookies These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance. FUNCTIONAL COOKIES Functional Cookies These cookies enable the website to provide enhanced functionality and personalisation. They may be set by us or by third party providers whose services we have added to our pages. If you do not allow these cookies then some or all of these services may not function properly. TARGETING COOKIES Targeting Cookies These cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising. Back Button COOKIE LIST Search Icon Filter Icon Clear checkbox label label Apply Cancel Consent Leg.Interest checkbox label label checkbox label label checkbox label label Reject All Confirm My Choices × – undefined Chat Input Box Chat Powered by