unit42.paloaltonetworks.com Open in urlscan Pro
104.71.188.216  Public Scan

URL: https://unit42.paloaltonetworks.com/global-protect-vpn-spoof-distributes-wikiloader/
Submission: On September 05 via api from US — Scanned from US

Form analysis 2 forms found in the DOM

Name: Unit42_SubscribePOST https://www.paloaltonetworks.com/apps/pan/public/formsubmithandler.submitform.json

<form action="https://www.paloaltonetworks.com/apps/pan/public/formsubmithandler.submitform.json" method="post" novalidate="" class="subscribe-form" name="Unit42_Subscribe" id="unit42footerSubscription_form">
  <input type="hidden" name="emailFormMask" value="">
  <input type="hidden" value="1086" name="formid">
  <input type="hidden" value="531-OCS-018" name="munchkinId">
  <input type="hidden" value="2141" name="lpId">
  <input type="hidden" value="1203" name="programId">
  <input type="hidden" value="1086" name="formVid">
  <input type="hidden" name="mkto_optinunit42" value="true">
  <input type="hidden" name="mkto_opt-in" value="true">
  <div class="form-group">
    <label for="newsletter-email" id="newsletter-email-label">Your Email</label>
    <input type="emal" placeholder="Your Email" name="Email" class="subscribe-field" id="newsletter-email" aria-labelledby="newsletter-email-label">
    <p class="error-mail mb-15 text-danger" style="color: #dc3545"></p>
    <p>By submitting this form, you agree to our <a title="Terms of Use" href="https://www.paloaltonetworks.com/legal-notices/terms-of-use" data-page-track="true" data-page-track-value="Get updates from Unit 42:Terms of Use">Terms of Use</a> and
      acknowledge our <a title="Privacy Statement" href="https://www.paloaltonetworks.com/legal-notices/privacy" data-page-track="true" data-page-track-value="Get updates from Unit 42:Privacy Statement">Privacy Statement.</a></p>
    <div class="g-recaptcha" data-expired-callback="captchaExpires" data-callback="captchaComplete" data-sitekey="6Lc5EhgTAAAAAJa-DzE7EeWABasWg4LKv-R3ao6o"></div>
    <p class="error-recaptcha d-none mt-15 text-danger" style="color: #dc3545">Invalid captcha!</p>
    <button class="l-btn is-disabled" data-page-track="true" data-page-track-value="footer:Get updates from Unit 42:Subscribe" id="unit42footerSubscription_form_button"> Subscribe <img
        src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/right-arrow.svg" alt="Right Arrow" class="arrow">
      <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-loader.svg" alt="loader" class="loader">
    </button>
    <div class="form-success-message"></div>
  </div>
  <input type="hidden" name="Company_From_IP__c" value="St Patricks Church of Elkhorn"><input type="hidden" name="Industry" value="Civic, Non-Profit and Membership Groups"><input type="hidden" name="Sub_Industry__c"
    value="Religious Organizations"><input type="hidden" name="RL_Primary_Sic__c" value="8661"><input type="hidden" name="RL_Primary_Naics__c" value="8131"><input type="hidden" name="RL_Address__c" value="20500 W Maple Rd"><input type="hidden"
    name="RL_City__c" value="Elkhorn"><input type="hidden" name="RL_State__c" value="NE"><input type="hidden" name="RL_ZIP_Postal_Code__c" value="68022-1103"><input type="hidden" name="RL_Country_from_IP__c" value="US"><input type="hidden"
    name="RL_Phone__c" value="+1 402 289 4289"><input type="hidden" name="Website" value="stpatselkhorn.org"><input type="hidden" name="RL_Annual_Revenue_Range__c" value="$5M - $10M"><input type="hidden" name="RL_Employee_Range__c"
    value="Small"><input type="hidden" name="Latitude_based_on_IP__c" value=""><input type="hidden" name="Longitude_based_on_IP__c" value=""><input type="hidden" name="IP_Address__c" value=""><input type="hidden" name="RL_Company_LegalName__c"
    value="St Patricks Church of Elkhorn"><input type="hidden" name="RL_Provider__c" value="demandbase">
</form>

<form action="" onsubmit="LO.submit_chat(); return false;">
  <div id="lo_chat_input" style="position:relative; width: 100%; ">
    <div class="lo-fx-hr" style="height:0px; margin-bottom:0px; margin-top:0px; width:100%; border-top:1px solid #000000;border-bottom:1px solid #4f4f4f"></div>
    <div style="padding:10px;"><label for="lo_chat_textarea" style="display:none">Chat Input Box</label><textarea id="lo_chat_textarea" disabled="disabled" rows="2"
        style="color: black; background-color: rgb(255, 255, 255); border-radius: 5px; padding: 7px; height: auto; width: 100%; font-family: sans-serif; text-transform: none; resize: none;" dir="null" data-last-scroll-height="0"></textarea></div>
    <div id="lo_chat_sound_holder" style="position:absolute; right:0px; top:-25px; width:100%;">
      <div style="cursor: pointer; float:right; opacity:0.6; padding-right:10px; height:16px;" id="lo_chat_sound"><img alt="Click to mute chat sounds" src="https://d10lpsik1i8c69.cloudfront.net/graphics/sound-on-white.png"></div>
      <div id="lo_chat_status" style="padding-left:10px; font-size:11px; color:#6d6d6d"></div>
      <div style="clear:both;"></div>
    </div>
  </div>
</form>

Text Content

Menu
 * Tools
 * ATOMs
 * Security Consulting
 * About Us
 * Under Attack?

 * 
 * About Unit 42
 * Services
   Services
   Assess and Test Your Security Controls
    * AI Security Assessment
    * Attack Surface Assessment
    * Breach Readiness Review
    * BEC Readiness Assessment
    * Cloud Security Assessment
    * Compromise Assessment
    * Cyber Risk Assessment
    * M&A Cyber Due Diligence
    * Penetration Testing
    * Purple Team Exercises
    * Ransomware Readiness Assessment
    * SOC Assessment
    * Supply Chain Risk Assessment
    * Tabletop Exercises
    * Unit 42 Retainer
   
   Transform Your Security Strategy
    * IR Plan Development and Review
    * Security Program Design
    * Virtual CISO
    * Zero Trust Advisory
   
   Respond in Record Time
    * Cloud Incident Response
    * Digital Forensics
    * Incident Response
    * Managed Detection and Response
    * Managed Threat Hunting
    * Unit 42 Retainer
   
   UNIT 42 RETAINER
   
   Custom-built to fit your organization's needs, you can choose to allocate
   your retainer hours to any of our offerings, including proactive cyber risk
   management services. Learn how you can put the world-class Unit 42 Incident
   Response team on speed dial.
   
   Learn more
 * Unit 42 Threat Research
   Unit 42 Threat Research
   Unit 42 Threat Research
    * Threat Briefs and Assessments
      Details on the latest cyber threats
    * Tools
      Lists of public tools released by our team
    * Threat Reports
      Downloadable, in-depth research reports
   
   THREAT REPORT
   
   2024 Unit 42 Incident Response Report
   
   Read now
   THREAT BRIEF
   
   Russia-Ukraine Cyberattacks: How to Protect Against Related Cyberthreats
   Including DDoS, HermeticWiper, Gamaredon, Website Defacement
   
   Learn more
   THREAT REPORT
   
   Highlights from the Unit 42 Cloud Threat Report, Volume 6
   
   Learn more
 * Partners
   Partners
   Partners
    * Threat Intelligence Sharing
    * Law Firms and Insurance Providers
   
   THREAT REPORT
   
   2022 Unit 42 Ransomware Threat Report: Understand trends and tactics to
   bolster defenses
   
   Learn more
   THREAT BRIEF
   
   Russia-Ukraine Cyberattacks: How to Protect Against Related Cyberthreats
   Including DDoS, HermeticWiper, Gamaredon, Website Defacement
   
   Learn more
   THREAT BRIEF
   
   Operation Falcon II: Unit 42 Helps Interpol Identify Nigerian Business Email
   Compromise Ring Members
   
   Learn more
 * Resources
   Resources
   Resources
    * Research Reports
    * Webinars
    * Customer Stories
    * Datasheets
    * Videos
    * Infographics
    * Whitepapers
    * Cyberpedia
   
   Industries
    * Financial Services
    * Healthcare
    * Manufacturing
   
   ANALYST REPORT
   
   Unit 42® has been named a Leader in “The Forrester Wave™: Cybersecurity
   Incident Response Services, Q2 2024.” Read the Forrester report to learn why.
   
   Get the report
   THREAT REPORT
   
   2024 Unit 42 Incident Response Report: Get the latest threat insights and
   expert recommendations to safeguard your organization better.
   
   Learn more

 * 
 * Under Attack?




Search
All
 * Tech Docs


Close search modal

 * Threat Research Center
 * Threat Research
 * Malware

Malware


SPOOFED GLOBALPROTECT USED TO DELIVER UNIQUE WIKILOADER VARIANT

12 min read
Related Products
Advanced DNS SecurityAdvanced URL FilteringAdvanced WildFireCloud-Delivered
Security ServicesCode to Cloud PlatformCortexCortex XDRManaged Threat
HuntingPrisma CloudUnit 42 Incident Response
 * By:
    * Mark Lim
    * Tom Marsden

 * Published:2 September, 2024 at 3:00 AM PDT
 * Categories:
    * Malware
    * Threat Research

 * Tags:
    * DLL Sideloading
    * Emotet
    * Evasion
    * Loader as a service
    * Malvertising
    * SEO poisoning
    * Spoof
    * WailingCrab
    * WikiLoader

 * 
 * 

Share
 * 
 * 
 * 
 * 
 * 
 * 
 * 


EXECUTIVE SUMMARY

The Unit 42 Managed Threat Hunting team (MTH) identified a variant of WikiLoader
loader for rent (aka WailingCrab) being delivered via SEO poisoning and spoofing
our GlobalProtect VPN software. Analysis conducted by the Advanced WildFire
reverse engineering team has uncovered the latest evasion techniques for
WikiLoader, providing new insights into its evolution.

We provide multiple XQL queries for Cortex XDR to hunt for this WikiLoader
campaign. We also provide hashes that identify samples found in the wild as well
as command and control (C2) URLs extracted from the original sample that spoofed
GlobalProtect.

Palo Alto Networks customers are better protected from the threats discussed in
this article through detection mechanisms available from the following products:

 * Cortex XDR
 * Next-Generation Firewall with Cloud-Delivered Security Services
 * Advanced WildFire
 * Advanced DNS Security
 * Advanced URL Filtering
 * The Prisma Cloud Cloud Security Agent (CSA)

Additionally, Google has confirmed that all sites mentioned in this article are
known to Safe Browsing. Any user that visits these sites will receive a warning
of potential security risks.

Related Unit 42 Topics Malvertising, DLL Sideloading


OVERVIEW OF TRADECRAFT USED BY WIKILOADER IN CAMPAIGNS SPOOFING GLOBALPROTECT

WikiLoader is a multistage malware loader that adversaries developed with
consideration toward evasion. Our industry partners have documented this threat
well. As such, we’ll focus on the specific tradecraft we observed related to
campaigns spoofing GlobalProtect, anti-analysis techniques employed by the
loader and resources for threat hunters.

Proofpoint has reported WikiLoader has been active since at least late 2022.
They also noted that phishing was initially the primary means of delivery. Its
operators used compromised WordPress sites and public MQ Telemetry Transport
(MQTT) brokers for C2.

We have not observed the follow-on payloads from complete WikiLoader infections.
However, Proofpoint reported attackers used the threat to deliver banking
Trojans such as Danabot and Ursnif/Gozi to organizations based in Italy.

In June 2024, we observed a WikiLoader campaign leveraging GlobalProtect themed
SEO poisoning, rather than using previously documented phishing tactics. SEO
poisoning is the process of getting an attacker-controlled site on the front
page of search engine results for a legitimate product through purchasing
advertisements or improving page rank.

Attackers commonly use SEO poisoning as an initial access vector to trick people
into visiting a page that spoofs the legitimate search result to deliver malware
rather than the searched-for product. This campaign’s delivery infrastructure
leveraged cloned websites relabeled as GlobalProtect along with cloud-based Git
repositories.

Unit 42 primarily observed WikiLoader affecting the U.S. higher education and
transportation sectors. However, the use of SEO poisoning for delivery almost
certainly broadens the scope of possible victims as compared to phishing.

WikiLoader is a loader for rent, which is suspected to be leveraged by at least
two initial access brokers (IABs). Attribution for this specific campaign
requires further research. However, we do make the following observations.

 * Campaigns leveraging WikiLoader and spoofing GlobalProtect have shown
   reasonable regard for evasion
 * The threat operators show an awareness of simple techniques that, when
   executed well, make machine and signature-based detection of such threats
   difficult

Such OPSEC considerations include:

 * Using the MQTT internet of things (IoT) event queue protocol for C2
 * Typosquatting and spoofing download pages modified to deliver WikiLoader
   throughout the life of a campaign
 * Using legitimate sites running vulnerable, third-party WordPress plugins as
   C2 infrastructure
 * Using cloud-hosted Git solutions to host malicious content
 * Using legitimate, signed binaries for sideloading WikiLoader
 * Using common file names associated with security tooling, where allowlistings
   in security products would reduce detection and response efficacy
 * Embedding payloads in seemingly benign file names and types
 * Hiding attributes for all files except the file that receives user
   interaction
 * Encrypting shellcode that is stored in separate binaries from the WikiLoader
   executables
 * Decrypting keys for shellcode that operators stored in the C2 servers
 * Performing multiple anti-analysis checks
 * Displaying fake error messages on execution

Figure 1 provides a summary of the infection chain.




Figure 1. Attack diagram from the delivery through WikiLoader backdoor
Execution. Source: Inspired by attack flow detailed in AhnLab blog, "'Totally
Unexpected' Package Malware Using Modified Notepad++ Plug-in (WikiLoader)."



DELIVERY AND EXECUTION

The following section details the execution of WikiLoader as delivered through
GlobalProtect-based SEO poisoning.

The advertisements we observed linked to multiple fake sites serving spoofed
GlobalProtect installers. Figure 2 shows a malicious advertisement that
attackers used to lure victims to a spoofed GlobalProtect download page.

Figure 2. Google ad linked to the websites to download spoofed GlobalProtect.


The first site is a clone of a legitimate business that fetches the malicious
payload upon download shown in Figure 3. Bitbucket took the site offline when we
notified them of it.

Figure 3. A cloned website that directs users to download the spoofed
GlobalProtect installer hosted on Bitbucket.


The second site shown in Figure 4 is a site that spoofs the GlobalProtect client
download page.

 

Figure 4. A cloned GlobalProtect page that directs users to download spoofed
GlobalProtect installers.


Upon download, Cortex XDR shows the following information associated with Chrome
where the sample is enriched with Mark of the Web (MotW) data as shown in Figure
5. MotW is a security feature in Windows that adds metadata to files downloaded
from the internet to indicate a potentially unsafe source. Analysts can use this
information to assist in understanding the source of a file, and where someone
may have been browsing before downloading the file.

Figure 5. File write and read of the GlobalProtect64.zip file enriched with MotW
data streams indicating one of the download URLs in the File Origin text area.


Figure 6 shows how the sample appears to the victim. The sample only shows a
single file in the folder.

Figure 6. The contents of GlobalProtect64.zip following extraction as viewed by
a user.


Figure 7 shows that when viewing all the hidden files and folders, there are
more than 400 files.

Figure 7. The contents of GlobalProtect64.zip following extraction, showing
hidden items.


Figure 8 shows what we see when viewing all files in the archive and checking
the signer. GlobalProtect64.exe is a renamed copy of a legitimate share trading
application that attackers used to sideload the first WikiLoader component.

Figure 8. A screenshot of Cortex XDR showing a copy of the trading platform
renamed as GlobalProtect64.exe being abused to sideload the first WikiLoader
loader component (i4jinst.dll) upon execution.


Figure 9 shows that upon execution of GlobalProtect64.exe, the threat loads the
first WikiLoader component i4jinst.dll, located inside the directory .install4j.

Figure 9. A screenshot of Cortex XDR events associated with spoofed
GlobalProtect64.exe.


The i4jinst.dll Load Image event causes the malicious module to be loaded into
the binary spoofing GlobalProtect64.exe. Once loaded, i4jinst.dll reads the
first stage encrypted shellcode from certificate.pem. It then decrypts the
shellcode and injects it into explorer.exe.

This includes the following discrete actions:

 1. The decrypted certificate.pem contains the first stage shellcode that is
    executed
 2. The shellcode loads C:\Windows\System32\BingMaps.dll
 3. The function GetBingMapsFactory is then overwritten with another shellcode
    decrypted from certificate.pem
 4. The overwritten shellcode then carries out thread injection into the
    explorer.exe process

At this point in the infection chain, Cortex’s shellcode prevention raised
alerts as shown in Figure 10.

Figure 10. Cortex shellcode protection prevents the injection from the malicious
process into explorer.exe.


If unprevented, the injected code in explorer.exe will contact a compromised
site running WordPress CMS as a C2 server for the WikiLoader backdoor. It will
then establish persistence and communicate with MQTT brokers for tasking.

The injected code will load license_us_EN.html. In the GlobalProtect spoofing
campaign, license_us_EN.html is a renamed copy of the AdInsight.exe Microsoft
Sysinternals binary. License_us_EN.html will side load the WikiLoader backdoor
downloaded from the C2 server.

Upon establishing persistence, AdInsight.exe (renamed to license_us_EN.html)
will be renamed again to a random filename. This file will be written into a
randomly named folder in ProgramData along with a randomly named file with the
extension .pem and the WikiLoader backdoor as a .dll. This process is shown in
Figure 11.

Figure 11. Files contained in a randomly named directory when WikiLoader writes
persistence components to disk.


In testing environments where shellcode protection was disabled, Cortex XDR
still generated an analytic behavioral indicator of compromise (BIOC) detection
for the unusual creation of a scheduled task created by explorer.exe following
the shellcode injection.

In summary, the infection chain is as follows:

 1.  Malicious behaviors begin when the victim launches GlobalProtect64.exe and
     this file then loads i4jinst.dll (located inside .install4j)
 2.  Once loaded, i4jinst.dll will read and decrypt the contents of the file
     certificate.pem
 3.  The decrypted certificate.pem contains the first stage shellcode that the
     threat executes
 4.  The shellcode loads C:\Windows\System32\BingMaps.dll
 5.  The function GetBingMapsFactory is then overwritten with another shellcode
     decrypted from certificate.pem
 6.  The overwritten shellcode then carries out thread injection into the
     explorer.exe process
 7.  The injected code in the explorer.exe process will contact the C2 server
     for the WikiLoader backdoor
 8.  If persisting, the threat will write license_us_EN.html and another file
     with extension .pem to a randomly named folder in ProgramData along with
     the WikiLoader backdoor as a .dll
 9.  The threat will establish persistence via a scheduled task to execute the
     renamed license_us_EN.html
 10. The injected code will read and execute a hidden PE file from
     license_us_EN.html
 11. License_us_EN.html will side load the WikiLoader backdoor downloaded from
     the C2 server
 12. The backdoor will decrypt the shellcode encrypted in the randomly named
     file with extension .pem. The decryption key is the name of the folder
     where the backdoor is located.

We have added additional protections to Cortex, and we share a collection of
hunting rules written in XQL at the end of this post.


HIGHLIGHTING WIKILOADER ANTI-ANALYSIS AND DEFENSE EVASION

The following are some unique tricks that this sample of WikiLoader used.


FAKE ERROR MESSAGE

As the spoofed GlobalProtect installer is not an actual installer, the authors
of WikiLoader needed another trick to fool victims. The threat shows a fake
error message when it completes infection of the victim machine. This prevents
the victim from wondering why GlobalProtect is not installed.

Figure 12 shows the fake error message generated by the sample.

Figure 12. Fake error message displayed when the sample completes infection



RENAMED LEGITIMATE SOFTWARE USED FOR SIDE-LOADING BACKDOOR

Attackers renamed the Microsoft Sysinternals tool ADInsight.exe to
license_us_EN.html, and hid it inside the spoofed GlobalProtect installer.
ADInsight.exe is used to side load the WikiLoader backdoor. Figure 13 shows the
contents of license_us_EN.html.

Figure 13. Hex dump of license_us_EN.html showing it is a PE file.



CHECKS FOR ANALYSIS ENVIRONMENTS

The sample checks the running processes in the victim machine against a list of
hashes of software commonly used by malware analysts. As most malware analysts
would be using a virtualized environment to analyze malware samples, the
WikiLoader sample will terminate if it finds processes related to virtual
machine software.

To hide the list of processes that WikiLoader is looking for, the malware uses a
32-bit hashing routine similar to those used by Emotet back in 2021. Figure 14
shows the hashing routine used by this WikiLoader sample.

Figure 14. Hashing routine used to obfuscate the analysis processes from above.



FOLDER NAME AS DECRYPTION KEY FOR THE BACKDOOR

The backdoor is encrypted using the CryptUnprotectData API. This sample of
WikiLoader used the folder name (RamDQ) as the decryption key for its backdoor.

Figure 15 shows the folder named RamDQ, which contained the encrypted backdoor
1FoWZv.pem and the executables (s2VT3.exe and version.dll) required to decrypt
and execute the backdoor.

Figure 15. Screenshot showing CryptUnprotectData being passed the folder name,
ultimately to be used to decrypt the shellcode in 1FoWZv.pem.



CONCLUSION

Financially motivated threat actors will continue to use WikiLoader as a loader
for rent in a variety of campaigns where they require a robust, stealthy Windows
loader that pays reasonable attention to OPSEC.

What remains to be seen is why threat actors have shifted from phishing to SEO
poisoning to deliver WikiLoader. One hypothesis is that another initial access
broker (IAB) has begun to work with WikiLoader to operationalize its delivery
through SEO poisoning in recent months. Alternatively, groups that are publicly
tracked using WikiLoader could have shifted to SEO poisoning from phishing after
an improvement in endpoint security controls or industry reporting disrupted
their operations.

While SEO poisoning is not a new technique, it continues to be an effective way
to deliver a loader to an endpoint. Spoofing trusted security software is likely
to assist in bypassing endpoint controls at organizations that rely on filename
based allow listing.

The combination of spoofed, compromised and legitimate infrastructure leveraged
by WikiLoader campaigns reinforces the malware authors attention to building an
operationally secure and robust loader, with multiple C2 configurations. The
authors suspect that we will likely see continued WikiLoader use throughout 2024
and beyond.

Regardless of the anti-analysis and EDR evasion techniques employed by
WikiLoader, the procedures employed can be identified using many common endpoint
threat hunting methods. We share a selection of four queries in our appendix
that organizations can use to hunt for WikiLoader with high fidelity in endpoint
data. The queries can be expanded in scope with minimal changes from XQL users
to cast a wider net, or narrow in on threats that may be more applicable to an
organization’s environment.

Google has confirmed that all sites mentioned in this article are known to Safe
Browsing. Any user that visits these sites will receive a warning of potential
security risks.


PALO ALTO NETWORKS PROTECTION AND MITIGATION

Palo Alto Networks customers are better protected from the threats discussed
above through the following products:

 * Next-Generation Firewall with Cloud-Delivered Security Services, including
   Advanced WildFire, detect the files mentioned within this report as
   malicious. Additionally Advanced URL Filtering and Advanced DNS Security
   identify known URLs and domains associated with this activity as malicious.
 * Cortex XDR customers are better protected against the sideloads and shellcode
   injection attempts mentioned in the article. Cortex XDR detects and prevents
   these malware activities based on Behavioral Threat Protection, AI-driven
   local analysis, analytics profiles and other security engines across Windows,
   Linux and Mac systems.
 * Prisma Cloud can detect known WikiLoader binaries executed from within cloud
   environments through the Cloud Security Agent (CSA).

If you think you may have been compromised or have an urgent matter, get in
touch with the Unit 42 Incident Response team or call:

 * North America Toll-Free: 866.486.4842 (866.4.UNIT42)
 * EMEA: +31.20.299.3130
 * APAC: +65.6983.8730
 * Japan: +81.50.1790.0200

Palo Alto Networks has shared these findings with our fellow Cyber Threat
Alliance (CTA) members. CTA members use this intelligence to rapidly deploy
protections to their customers and to systematically disrupt malicious cyber
actors. Learn more about the Cyber Threat Alliance.


XQL HUNTING QUERIES

Explorer.exe communicating with MQTT brokers

// Description: Communication to known MQTT broker services from explorer.exe.
Observed samples have communicated with MQTT brokers over over plaintext or
encrypted TCP ports, not using websockets. Typically these are TCP
1883,8883,8884 config case_sensitive = false | dataset=xdr_data | filter
event_type = ENUM.STORY | filter dst_action_external_hostname in
("broker.emqx.io","broker-cn.emqx.io","mqtt.eclipseprojects.io","test.mosquitto.org","broker.hivemq.com","*mqtt.one","*iotbind.com")
and actor_process_image_name = "explorer.exe" and action_remote_port not in
(53,80,443) | fields _time, agent_hostname, agent_ip_addresses,
actor_effective_username, actor_process_image_name, actor_process_image_path,
dst_action_external_hostname, action_remote_port, action_remote_ip
1
2
3
4
5
6
7
8
9
10
11
// Description: Communication to known MQTT broker services from explorer.exe.
Observed samples have communicated with MQTT brokers over over plaintext or
encrypted TCP ports, not using websockets. Typically these are TCP
1883,8883,8884
 
config case_sensitive = false
 
| dataset=xdr_data
 
| filter event_type = ENUM.STORY
 
| filter dst_action_external_hostname in
("broker.emqx.io","broker-cn.emqx.io","mqtt.eclipseprojects.io","test.mosquitto.org","broker.hivemq.com","*mqtt.one","*iotbind.com")
and actor_process_image_name = "explorer.exe" and action_remote_port not in
(53,80,443)
 
| fields _time, agent_hostname, agent_ip_addresses, actor_effective_username,
actor_process_image_name, actor_process_image_path,
dst_action_external_hostname, action_remote_port, action_remote_ip

Common DLL sideload targets (step 8 in infection chain)

// Description: Processes that have have written 2 PEs, one must be a .exe, and
the // other a .dll with a name commonly abused for search order hijacking.
config case_sensitive = false | dataset = xdr_data // Get DLL and Exe writes
excluding users and program files directories. | filter event_type = ENUM.FILE
and event_sub_type in (ENUM.FILE_WRITE, ENUM.FILE_CREATE_NEW) and
action_file_extension IN ("dll","exe") and action_file_path !~=
"C\:\\(?:Users|Program\sFiles(\s\(x86\))?)\\.*" // Collate the file writes by
the actor (writing) process | comp count_distinct(action_file_path) as
cnt_pe_written, count_distinct(action_file_extension) as cnt_pe_extensions,
count_distinct(action_file_signature_status) as cnt_pe_sig_status,
values(action_file_path) as pe_written, values(action_file_signature_status) as
action_file_signature_status, values(action_file_signature_vendor) as
action_file_signature_vendor, values(action_file_signature_product) as
action_file_signature_product, values(actor_effective_username) as username,
values(action_file_sha256) as action_file_sha256, values(_time) as time,
values(actor_process_command_line) as command_line, values(action_file_name) as
pe_written_name, values(agent_hostname) as agent_hostname by
actor_process_instance_id // Filter out those that have only written 1 Exe and 1
DLL, with a DLL using a known abused name | filter cnt_pe_written=2 and
cnt_pe_extensions=2 and pe_written_name ~=
"^(?:vcruntime140|vcruntime|oci|version|msfte|secur32|nw|rw32core|iphlpapi|wininet)\.dll"
| filter pe_written_name not in
("*cortex-xdr-payload*","*xdrhealth.exe*","*winpty-agent.exe*")
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
// Description: Processes that have have written 2 PEs, one must be a .exe, and
the
 
// other a .dll with a name commonly abused for search order hijacking.
 
config case_sensitive = false
 
| dataset = xdr_data
 
// Get DLL and Exe writes excluding users and program files directories.
 
| filter event_type = ENUM.FILE and event_sub_type in (ENUM.FILE_WRITE,
ENUM.FILE_CREATE_NEW) and action_file_extension IN ("dll","exe") and
action_file_path !~= "C\:\\(?:Users|Program\sFiles(\s\(x86\))?)\\.*"
 
// Collate the file writes by the actor (writing) process
 
| comp count_distinct(action_file_path) as cnt_pe_written,
count_distinct(action_file_extension) as cnt_pe_extensions,
count_distinct(action_file_signature_status) as cnt_pe_sig_status,
values(action_file_path) as pe_written, values(action_file_signature_status) as
action_file_signature_status, values(action_file_signature_vendor) as
action_file_signature_vendor, values(action_file_signature_product) as
action_file_signature_product, values(actor_effective_username) as username,
values(action_file_sha256) as action_file_sha256, values(_time) as time,
values(actor_process_command_line) as command_line, values(action_file_name) as
pe_written_name, values(agent_hostname) as agent_hostname by
actor_process_instance_id
 
// Filter out those that have only written 1 Exe and 1 DLL, with a DLL using a
known abused name
 
| filter cnt_pe_written=2 and cnt_pe_extensions=2 and pe_written_name ~=
"^(?:vcruntime140|vcruntime|oci|version|msfte|secur32|nw|rw32core|iphlpapi|wininet)\.dll"
 
| filter pe_written_name not in
("*cortex-xdr-payload*","*xdrhealth.exe*","*winpty-agent.exe*")

Processes executing as GlobalProtect without a parsed Palo Alto Networks
certificate.

// Description: A signed process starts with GlobalProtect or PanGP in the image
name, but is not signed by a known Palo Alto Networks certificate. config
case_sensitive = false | dataset=xdr_data | filter event_type IN (ENUM.PROCESS)
and event_sub_type = ENUM.PROCESS_START | filter (action_process_image_name
contains "GlobalProtect" or action_process_image_name contains "PanGP") and
action_process_signature_vendor not in ("Palo Alto Networks","Palo Alto Networks
(Netherlands) B.V.","Developer ID Application: Palo Alto Networks
(PXPZ95SK77)","Palo Alto Networks, Inc") and
action_process_signature_status=ENUM.SIGNED | fields _time, agent_hostname,
actor_effective_username, action_process_image_path ,
action_process_image_command_line , action_process_image_sha256,
action_process_signature_status, action_process_signature_vendor,
action_process_signature_product, action_process_image_sha256,
actor_process_image_path , os_actor_process_command_line,
causality_actor_process_command_line
1
2
3
4
5
6
7
8
9
10
11
// Description: A signed process starts with GlobalProtect or PanGP in the image
name, but is not signed by a known Palo Alto Networks certificate.
 
config case_sensitive = false
 
| dataset=xdr_data
 
| filter event_type IN (ENUM.PROCESS) and event_sub_type = ENUM.PROCESS_START
 
| filter (action_process_image_name contains "GlobalProtect" or
action_process_image_name contains "PanGP") and action_process_signature_vendor
not in ("Palo Alto Networks","Palo Alto Networks (Netherlands) B.V.","Developer
ID Application: Palo Alto Networks (PXPZ95SK77)","Palo Alto Networks, Inc") and
action_process_signature_status=ENUM.SIGNED
 
| fields _time, agent_hostname, actor_effective_username,
action_process_image_path , action_process_image_command_line ,
action_process_image_sha256, action_process_signature_status,
action_process_signature_vendor, action_process_signature_product,
action_process_image_sha256, actor_process_image_path ,
os_actor_process_command_line, causality_actor_process_command_line

Review ZIP files with GlobalProtect naming that have Mark of the Web applied for
suspicious download sources

// Description: Delivery via .zip files is common, display those that were
downloaded with Mark of the Web data. config case_sensitive = false |
dataset=xdr_data | filter event_type=ENUM.FILE and event_sub_type IN
(ENUM.FILE_OPEN, ENUM.FILE_CREATE_NEW) | filter action_file_extension="zip" and
action_file_path ~= "Downloads|Appdata" and action_file_name contains
"GlobalProtect" and not action_file_name contains "GlobalProtectLogs" | fields
_time, event_sub_type, agent_hostname, actor_effective_username,
action_file_name, action_file_path, action_file_web_mark, action_file_sha256 ,
actor_process_image_name, actor_process_image_sha256
1
2
3
4
5
6
7
8
9
10
11
// Description: Delivery via .zip files is common, display those that were
downloaded with Mark of the Web data.
 
config case_sensitive = false
 
| dataset=xdr_data
 
| filter event_type=ENUM.FILE and event_sub_type IN (ENUM.FILE_OPEN,
ENUM.FILE_CREATE_NEW)
 
| filter action_file_extension="zip" and action_file_path ~= "Downloads|Appdata"
and action_file_name contains "GlobalProtect" and not action_file_name contains
"GlobalProtectLogs"
 
| fields _time, event_sub_type, agent_hostname, actor_effective_username,
action_file_name, action_file_path, action_file_web_mark, action_file_sha256 ,
actor_process_image_name, actor_process_image_sha256




INDICATORS OF COMPROMISE

These indicators were active throughout June 2024.

Delivery URLs

 * URL: hxxps://globalprotect[.]securedownload[.]today/GlobalProtect64.zip

Description: URL serving archive impersonating GlobalProtect.

 * URL: hxxps://globalprojectvpn[.]com

Description: Fake GlobalProtect site that delivers fake GlobalProtect64.zip

 * URL: hxxps://globalprojectvpn[.]com

Description: Fake GlobalProtect site that pulled from a Bitbucket project to
deliver fake GlobalProtect64.zip

 * URL: hxxps://bitbucket[.]org/bitprotect/globalproject/src/main/

Description: Bitbucket project that hosted fake GlobalProtect64.zip

WikiLoader C2 URLs

 * hxxps://carniceriamartinezadria.com/wp-content/themes/twentytwentyfour/rleoec.php?id=1
 * hxxps://jlholgado.com/wp-content/themes/twentytwentyfour/zca2ck.php?id=1
 * hxxps://elpgtextil.com/wp-content/themes/twentytwentyfour/44snwx.php?id=1
 * hxxps://arbeitsschutz-mmk.de/plugins/search/contacts/chrndi.php?id=1
 * hxxps://www.estudioemm.com/wp-content/themes/twentytwelve/d4kih3.php?id=1

Description: C2 providing the decryption key to the payload of the WikiLoader
sample

SHA-256 hashes for WikiLoader shellcode loader DLLs

 * d4eb9a4ee389f03c402e553724015af8d5b85835828bd66b1b45131b6837802f
 * 534c989d110ece8c429d2ded913933b961710726d8655b858474bc31dfed25c3
 * a001642046a6e99ab2b412d96020a243a221e3819eaac94ab3251fad7d20614b
 * c6c250e1cd6d5477b46871ffe17deac248d723ad45687fc54ae4fc5e3f45d91c
 * f1a49cea454bac3e78ac765b247b65d00c896d84de2028892b00d4310453c665
 * 2ab449666cf006125075e3ded8053cdfd318e4772d4145f0fa861f1d42cb2b08
 * 1d6f76acecff63fb373b5774a3cb34b87266a4a4bbb8e3a0757d107187d280ee
 * b412b2c190b8406392406d9a8e3abce91c9014950bcf835eb7d9b50d0f128cb0
 * 66735d0178badf035be0e142f4fb8e23d860bfc9bbdc3e12ad1f2764de91ee9b
 * edec55f87e535f869119db44e4e7302081f53dbf33a27aaf905430cedc5a78b9
 * 148b29123bb0c28614858460d7a10707469fecebd6a9ff1da98a0c76a89a9819
 * 0de42118dd0cd861bea13de097457ccb407aae901b14e0bec59b0abe660cdf1f
 * 5576ab87eb11ca4d2944bc1c2c6a8c349e18c7ded583c1ba9bd99eff9d8ac4d7
 * 551da6814a01a280afe90aa6bb238f499d98ad496c0d8472a1705540a6f422da
 * 4f573ab13882efa234a79483d305b3001cb09c0a166ff94c925844b860162415
 * 4f2079cd2e228a2777df45ae00714c8679531fd8ad82a66b5c1b10e800771f18
 * 2add886330db1480da7314ee38428ca79af04f8c461c3bbbd68e202bb5f4c415
 * 76d1a876c90ec16f44685f795e64ab84bd2d3f5a91db659c9879b3461ee104f9
 * 6aa4a830aa8d89b629fe87d3d3e986042215b5bcd670417933fca854b6dd58d9
 * 1c1d739f0282bfd9367e29ca81c61ed4a731e5150a836d0371e5e9d0121c9dfd
 * 69a94bbed366bfd917dfd8fb6e5fd7ba52e2dbf338edd0c259654981060943c8
 * 9a48f32e00877a4335206c7da45a94ca8bd46648d3a0bc88e0789dabf8139024
 * c3280452e7c96253b215342f2fac14634591adf68f88bcf7dc920d5f28022cd6
 * 0c44a46f1c8e46fe6b6f83ec249c95301aca1bc4765cee7bdadd021bbfd2ff66
 * 2b8b3f5b692f716116a1468b8d7b273baf7a6cef0726e831cd307d2f2c7452ec
 * e07787caf52dd3e7dd0da600dbd1d909f3799dcebcdc60d101baf3ea17ef1e32
 * 50810e4696dd075ca23349e3e1c3a87fc7b46ab89f4b1eb093a5cfb74f84cc51
 * 912cc2a3592b3b7835205d275cbf92bb66effc99cbd5cc338a223888de1b0d35
 * f04715827e5453b33ba6fae8475b8c45150b27cc1361441648c46d13025283d2
 * e693652763141522621f9fcd80efb30cefa363f8bd9bdc65e5ffbf9fb8d76d3b
 * 8d5e185d53e81e90646d684dff7cb399973e3cde6d833e6f7431074f4362139a
 * ec59616b1c80951d6597d4f25a9c031be0391151dc1073a5bece466473f0bdfe
 * e7e674218a7d93595e33a092f4f519a65499651a398ca350f5a50e135e64fa41
 * 78f6f94aaa72e41d64e4dc309a3553399db2b4cd0edae5653ca4b6e7839e1215
 * abce298ebb4ac7bc1a5167179875afc88e7e99475bf681953e8b964237b7d7ed
 * 82ec4e1a6ddf6eeb4030d6dd698f4576d0445d4d5722d5c60b0cc74ac501bb85
 * 0d495a94e29faa4dfded29253322be1b2c534a56c078bea1ad8f1dc1fd23b742

SHA-256 hashes for WikiLoader backdoor

 * 4044a0d7a0ed7f66efc2bd13616ec63a5722fc7a73a28fe3bda513f60ef24dd9
 * c9eaaa6aee55704ce651c8b4cde7949cfa9711e05a136fa15f234d1bb2ea994c



ADDITIONAL RESOURCES

 * Threat Actors Target the Middle East Using Fake Palo Alto GlobalProtect Tool
   – Trend Micro
 * X thread on spoof of GlobalProtext– @malwrhunterteam, X
 * Protection Highlight: WikiLoader Returns – Broadcom
 * 20mb zip drop via discord –  @pr0xylife, X
 * Stealthy WailingCrab Malware misuses MQTT Messaging Protocol – Security
   Intelligence, IBM

Updated Sept. 4, 2024, at 1:20 p.m. PT to include clarifying language from
Google.

Back to top


TAGS

 * DLL Sideloading
 * Emotet
 * Evasion
 * Loader as a service
 * Malvertising
 * SEO poisoning
 * Spoof
 * WailingCrab
 * WikiLoader

Threat Research Center Next: TLD Tracker: Exploring Newly Released Top-Level
Domains


TABLE OF CONTENTS

 * 
 * Executive Summary
 * Overview of Tradecraft Used by WikiLoader in Campaigns Spoofing GlobalProtect
 * 
 * Delivery and Execution
 * Highlighting WikiLoader Anti-Analysis and Defense Evasion
   * Fake Error Message
   * Renamed Legitimate Software Used for Side-Loading Backdoor
   * Checks for Analysis Environments
   * Folder Name as Decryption Key for the Backdoor
 * Conclusion
   * Palo Alto Networks Protection and Mitigation
 * XQL Hunting Queries
 * Indicators of Compromise
 * Additional Resources


RELATED ARTICLES

 * DarkGate: Dancing the Samba With Alluring Excel Files
 * Dissecting GootLoader With Node.js
 * Payload Trends in Malicious OneNote Samples


RELATED MALWARE RESOURCES

Threat Research

ATTACKERS EXPLOITING PUBLIC COBALT STRIKE PROFILES

 * Cobalt Strike
 * Malleable C2 profile

Read now
Threat Research

OPERATION DIPLOMATIC SPECTER: AN ACTIVE CHINESE CYBERESPIONAGE CAMPAIGN
LEVERAGES RARE TOOL SET TO TARGET GOVERNMENTAL ENTITIES IN THE MIDDLE EAST,
AFRICA AND ASIA

 * Advanced Persistent Threat
 * Backdoor
 * China

Read now
Threat Research

PAYLOAD TRENDS IN MALICIOUS ONENOTE SAMPLES

 * Malvertising
 * Microsoft OneNote
 * Phishing

Read now
Threat Actor Groups

FIGHTING URSA LURING TARGETS WITH CAR FOR SALE

 * Advanced Persistent Threat
 * APT28
 * Fancy Bear

Read now
Threat Research

SCAM ATTACKS TAKING ADVANTAGE OF THE POPULARITY OF THE GENERATIVE AI WAVE

 * ChatGPT
 * GenAI
 * Cybersquatting

Read now
Threat Research

ACCELERATING ANALYSIS WHEN IT MATTERS

 * Remote Access Trojan
 * Memory detection
 * Redline infostealer

Read now
Threat Research

BEWARE OF BADPACK: ONE WEIRD TRICK BEING USED AGAINST ANDROID DEVICES

 * Android APK
 * APK
 * Cerberus trojan

Read now
Threat Research

DARKGATE: DANCING THE SAMBA WITH ALLURING EXCEL FILES

 * Sandbox
 * Microsoft Excel
 * Malware-as-a-service

Read now
Threat Research

DISSECTING GOOTLOADER WITH NODE.JS

 * Sandbox
 * Memory detection
 * Anti-analysis

Read now
Threat Research

ATTACKERS EXPLOITING PUBLIC COBALT STRIKE PROFILES

 * Cobalt Strike
 * Malleable C2 profile

Read now
Threat Research

OPERATION DIPLOMATIC SPECTER: AN ACTIVE CHINESE CYBERESPIONAGE CAMPAIGN
LEVERAGES RARE TOOL SET TO TARGET GOVERNMENTAL ENTITIES IN THE MIDDLE EAST,
AFRICA AND ASIA

 * Advanced Persistent Threat
 * Backdoor
 * China

Read now
Threat Research

PAYLOAD TRENDS IN MALICIOUS ONENOTE SAMPLES

 * Malvertising
 * Microsoft OneNote
 * Phishing

Read now
Threat Actor Groups

FIGHTING URSA LURING TARGETS WITH CAR FOR SALE

 * Advanced Persistent Threat
 * APT28
 * Fancy Bear

Read now
Threat Research

SCAM ATTACKS TAKING ADVANTAGE OF THE POPULARITY OF THE GENERATIVE AI WAVE

 * ChatGPT
 * GenAI
 * Cybersquatting

Read now
Threat Research

ACCELERATING ANALYSIS WHEN IT MATTERS

 * Remote Access Trojan
 * Memory detection
 * Redline infostealer

Read now
Threat Research

BEWARE OF BADPACK: ONE WEIRD TRICK BEING USED AGAINST ANDROID DEVICES

 * Android APK
 * APK
 * Cerberus trojan

Read now
Threat Research

DARKGATE: DANCING THE SAMBA WITH ALLURING EXCEL FILES

 * Sandbox
 * Microsoft Excel
 * Malware-as-a-service

Read now
Threat Research

DISSECTING GOOTLOADER WITH NODE.JS

 * Sandbox
 * Memory detection
 * Anti-analysis

Read now
Threat Research

ATTACKERS EXPLOITING PUBLIC COBALT STRIKE PROFILES

 * Cobalt Strike
 * Malleable C2 profile

Read now
Threat Research

OPERATION DIPLOMATIC SPECTER: AN ACTIVE CHINESE CYBERESPIONAGE CAMPAIGN
LEVERAGES RARE TOOL SET TO TARGET GOVERNMENTAL ENTITIES IN THE MIDDLE EAST,
AFRICA AND ASIA

 * Advanced Persistent Threat
 * Backdoor
 * China

Read now
Threat Research

PAYLOAD TRENDS IN MALICIOUS ONENOTE SAMPLES

 * Malvertising
 * Microsoft OneNote
 * Phishing

Read now
 * 
 * 


Get updates from Unit 42


PEACE OF MIND COMES FROM STAYING AHEAD OF THREATS. CONTACT US TODAY.

Your Email



By submitting this form, you agree to our Terms of Use and acknowledge our
Privacy Statement.



Invalid captcha!

Subscribe



PRODUCTS AND SERVICES

 * Network Security Platform
 * CLOUD DELIVERED SECURITY SERVICES
 * Advanced Threat Prevention
 * DNS Security
 * Data Loss Prevention
 * IoT Security

 * Next-Generation Firewalls
 * Hardware Firewalls
 * Strata Cloud Manager

 * SECURE ACCESS SERVICE EDGE
 * Prisma Access
 * Prisma SD-WAN
 * Autonomous Digital Experience Management
 * Cloud Access Security Broker
 * Zero Trust Network Access

 * Code to Cloud Platform
 * Prisma Cloud
 * Cloud-Native Application Protection Platform

 * AI-Driven Security Operations Platform
 * Cortex XDR
 * Cortex XSOAR
 * Cortex Xpanse
 * Cortex XSIAM
 * External Attack Surface Protection
 * Security Automation
 * Threat Prevention, Detection & Response

 * Threat Intel and Incident Response Services
 * Proactive Assessments
 * Incident Response
 * Transform Your Security Strategy
 * Discover Threat Intelligence


COMPANY

 * About Us
 * Careers
 * Contact Us
 * Corporate Responsibility
 * Customers
 * Investor Relations
 * Location
 * Newsroom


POPULAR LINKS

 * Blog
 * Communities
 * Content Library
 * Cyberpedia
 * Event Center
 * Manage Email Preferences
 * Products A-Z
 * Product Certifications
 * Report a Vulnerability
 * Sitemap
 * Tech Docs
 * Unit 42
 * Do Not Sell or Share My Personal Information

 * Privacy
 * Trust Center
 * Terms of Use
 * Documents


Copyright © 2024 Palo Alto Networks. All Rights Reserved
 * 
 * 
 * 
 * 
 * 

EN
 * Select your language
 * USA (ENGLISH)


Your browser does not support the video tag.


DEFAULT HEADING

Read the article
Seekbar



Volume
This site uses cookies essential to its operation, for analytics, and for
personalized content and ads. By continuing to browse this site, you acknowledge
the use of cookies. Privacy statement
Manage My Cookie Settings


Your Opt Out Preference Signal is Honored


PRIVACY PREFERENCE CENTER

When you visit any website, it may store or retrieve information on your
browser, mostly in the form of cookies. This information might be about you,
your preferences or your device and is mostly used to make the site work as you
expect it to. The information does not usually directly identify you, but it can
give you a more personalized web experience. Because we respect your right to
privacy, you can choose not to allow some types of cookies. Click on the
different category headings to find out more and change our default settings.
However, blocking some types of cookies may impact your experience of the site
and the services we are able to offer.
More information on cookie consent
Allow All


MANAGE YOUR CONSENT PREFERENCES

STRICTLY NECESSARY COOKIES

Always Active

These cookies are necessary for the website to function and cannot be switched
off in our systems. They are usually only set in response to actions made by you
which amount to a request for services, such as setting your privacy
preferences, logging in or filling in forms.    You can set your browser to
block or alert you about these cookies, but some parts of the site will not then
work. These cookies do not store any personally identifiable information.

PERFORMANCE COOKIES

Performance Cookies

These cookies allow us to count visits and traffic sources so we can measure and
improve the performance of our site. They help us to know which pages are the
most and least popular and see how visitors move around the site.    All
information these cookies collect is aggregated and therefore anonymous. If you
do not allow these cookies we will not know when you have visited our site, and
will not be able to monitor its performance.

FUNCTIONAL COOKIES

Functional Cookies

These cookies enable the website to provide enhanced functionality and
personalisation. They may be set by us or by third party providers whose
services we have added to our pages.    If you do not allow these cookies then
some or all of these services may not function properly.

TARGETING COOKIES

Targeting Cookies

These cookies may be set through our site by our advertising partners. They may
be used by those companies to build a profile of your interests and show you
relevant adverts on other sites.    They do not store directly personal
information, but are based on uniquely identifying your browser and internet
device. If you do not allow these cookies, you will experience less targeted
advertising.

Back Button


COOKIE LIST



Search Icon
Filter Icon

Clear
checkbox label label
Apply Cancel
Consent Leg.Interest
checkbox label label
checkbox label label
checkbox label label

Reject All Confirm My Choices




×
–

undefined



Chat Input Box

Chat
Powered by