Hackers poison Google search results by spreading malware as spoofed VPN solution


Threat actors are spoofing GlobalProtect VPN software and delivering malicious payloads to people who trust the first results on Google Search, Palo Alto warns. This is a shift from traditional phishing attacks.

Security researchers from Unit 42, a security arm of Palo Alto Networks, discovered a new malicious campaign in June 2024.

Leveraging the GlobalProtect VPN brand, threat actors placed ads on Google Search, that appeared on top of other search results, leading to a malicious website.

The landing pages imitated authentic Palo Alto websites for GlobalProtect and tricked users into downloading a disguised malware loader, WikiLoader.

Malicious ad on Google Search
Image by Unit 42

WikiLoader can download additional payloads, steal information, and provide attackers with remote access. This loader-for-rent has been active since at least late 2022, and it’s been updated with “some unique tricks.”

Researchers believe that initial access brokers – threat actors specializing in gaining access to computer systems – are shifting from phishing to delivery through SEO (search engine optimization) poisoning.

SEO poisoning means that attacker-controlled sites appear on the front page of search results instead of legitimate products. Hackers attempt this by purchasing advertisements or improving page rank.

Palo Alto researchers warn that SEO poisoning broadens the scope of potential victims and have already observed some organizations in the US higher education and transportation sectors affected by WikiLoader.

“While SEO poisoning is not a new technique, it continues to be an effective way to deliver a loader to an endpoint. Spoofing trusted security software is likely to assist in bypassing endpoint controls at organizations that rely on filename-based allow listing,” the Unit 42 report said.

Proofpoint previously reported that attackers used WikiLoader to deliver banking trojans such as Danabot or Ursnif/Gozi to organizations in Italy.

Attackers used many tricks to evade detection. The sample file obtained from a victim was called GlobalProtect64. However, it was a renamed copy of a legitimate share trading application used to sideload the first WikiLoader component. The zip archive included more than 400 hidden files.

To prevent victims from wondering why GlobalProtect was not installed, the malware shows a fake error message saying that a DLL is missing once the infection is complete.

Other renamed legitimate software, such as the Microsoft Sysinternals tool ADInsight.exe, was hidden inside the installer to sideload backdoors.

For command and control, the malware communicates with compromised WordPress sites.

“WikiLoader sample will terminate if it finds processes related to virtual machine software,” researchers noted.

They suspect continued WikiLoader use throughout 2024 and beyond.