Beware of Malicious GlobalProtect VPN Spoofing Campaign: Palo Alto Networks Warning

In a recent discovery by security researchers from Unit 42, a malicious campaign leveraging the GlobalProtect VPN brand has been uncovered. Threat actors are now spoofing GlobalProtect VPN software and delivering malicious payloads to unsuspecting victims who trust the first results on Google Search.

The malicious campaign involves threat actors placing ads on Google Search that appear at the top of search results, leading users to a fake website that imitates authentic Palo Alto websites for GlobalProtect. Once on the site, users are tricked into downloading a disguised malware loader known as WikiLoader.

WikiLoader is a dangerous tool that can download additional payloads, steal information, and provide attackers with remote access to compromised systems. This loader-for-rent has been active since late 2022 and has recently been updated with new “unique tricks.”

Researchers believe that threat actors are shifting from traditional phishing attacks to delivery through SEO poisoning, where attacker-controlled sites appear on the front page of search results. This technique broadens the scope of potential victims, with organizations in the US higher education and transportation sectors already being affected by WikiLoader.

To evade detection, attackers have used various tricks, such as renaming legitimate software to sideload malware components and communicating with compromised WordPress sites for command and control. Researchers suspect that the use of WikiLoader will continue throughout 2024 and beyond.

Palo Alto Networks warns that spoofing trusted security software like GlobalProtect VPN can assist threat actors in bypassing endpoint controls at organizations that rely on filename-based allow listing. It is crucial for users to remain vigilant and cautious when downloading software from unfamiliar sources to avoid falling victim to such malicious campaigns.