Spoofed GlobalProtect Used to Deliver Unique WikiLoader Variant

    Tuesday, September 3, 2024 In: Threat Research Print

    Date: 09/03/2024

    Severity: Medium

    Summary

    "Spoofed GlobalProtect Used to Deliver Unique WikiLoader Variant" refers to a cybersecurity attack where cybercriminals disguise malicious software as a legitimate GlobalProtect VPN client. This spoofed software is used to distribute a specific variant of WikiLoader malware. The attack exploits the trust associated with the genuine GlobalProtect VPN to trick users into installing the malware, which can then facilitate further attacks or unauthorized access to systems.

    Indicators of Compromise (IOC) List

    URL/Domain

    https://jlholgado.com/wp-content/themes/twentytwentyfour/zca2ck.php?id=1

    https://elpgtextil.com/wp-content/themes/twentytwentyfour/44snwx.php?id=1

    https://www.estudioemm.com/wp-content/themes/twentytwelve/d4kih3.php?id=1

    https://bitbucket.org/bitprotect/globalproject/src/main/

    https://arbei    tsschutz-mmk.de/plugins/search/contacts/chrndi.php?id=1

    https://globalprojectvpn.com

    https://globalprotect.securedownload.today/GlobalProtect64.zip

    https://carniceriamartinezadria.com/wp-content/themes/twentytwentyfour/rleoec.php?id=1

    Hash

    78f6f94aaa72e41d64e4dc309a3553399db2b4cd0edae5653ca4b6e7839e1215

e7e674218a7d93595e33a092f4f519a65499651a398ca350f5a50e135e64fa41

912cc2a3592b3b7835205d275cbf92bb66effc99cbd5cc338a223888de1b0d35

c3280452e7c96253b215342f2fac14634591adf68f88bcf7dc920d5f28022cd6

9a48f32e00877a4335206c7da45a94ca8bd46648d3a0bc88e0789dabf8139024

2add886330db1480da7314ee38428ca79af04f8c461c3bbbd68e202bb5f4c415

0de42118dd0cd861bea13de097457ccb407aae901b14e0bec59b0abe660cdf1f

1d6f76acecff63fb373b5774a3cb34b87266a4a4bbb8e3a0757d107187d280ee

2ab449666cf006125075e3ded8053cdfd318e4772d4145f0fa861f1d42cb2b08

d4eb9a4ee389f03c402e553724015af8d5b85835828bd66b1b45131b6837802f

c6c250e1cd6d5477b46871ffe17deac248d723ad45687fc54ae4fc5e3f45d91c

534c989d110ece8c429d2ded913933b961710726d8655b858474bc31dfed25c3

ec59616b1c80951d6597d4f25a9c031be0391151dc1073a5bece466473f0bdfe

551da6814a01a280afe90aa6bb238f499d98ad496c0d8472a1705540a6f422da

1c1d739f0282bfd9367e29ca81c61ed4a731e5150a836d0371e5e9d0121c9dfd

abce298ebb4ac7bc1a5167179875afc88e7e99475bf681953e8b964237b7d7ed

69a94bbed366bfd917dfd8fb6e5fd7ba52e2dbf338edd0c259654981060943c8

f1a49cea454bac3e78ac765b247b65d00c896d84de2028892b00d4310453c665

e07787caf52dd3e7dd0da600dbd1d909f3799dcebcdc60d101baf3ea17ef1e32

4f573ab13882efa234a79483d305b3001cb09c0a166ff94c925844b860162415

e693652763141522621f9fcd80efb30cefa363f8bd9bdc65e5ffbf9fb8d76d3b

0d495a94e29faa4dfded29253322be1b2c534a56c078bea1ad8f1dc1fd23b742

6aa4a830aa8d89b629fe87d3d3e986042215b5bcd670417933fca854b6dd58d9

148b29123bb0c28614858460d7a10707469fecebd6a9ff1da98a0c76a89a9819

4f2079cd2e228a2777df45ae00714c8679531fd8ad82a66b5c1b10e800771f18

5576ab87eb11ca4d2944bc1c2c6a8c349e18c7ded583c1ba9bd99eff9d8ac4d7

66735d0178badf035be0e142f4fb8e23d860bfc9bbdc3e12ad1f2764de91ee9b

a001642046a6e99ab2b412d96020a243a221e3819eaac94ab3251fad7d20614b

edec55f87e535f869119db44e4e7302081f53dbf33a27aaf905430cedc5a78b9

50810e4696dd075ca23349e3e1c3a87fc7b46ab89f4b1eb093a5cfb74f84cc51

8d5e185d53e81e90646d684dff7cb399973e3cde6d833e6f7431074f4362139a

0c44a46f1c8e46fe6b6f83ec249c95301aca1bc4765cee7bdadd021bbfd2ff66

76d1a876c90ec16f44685f795e64ab84bd2d3f5a91db659c9879b3461ee104f9

82ec4e1a6ddf6eeb4030d6dd698f4576d0445d4d5722d5c60b0cc74ac501bb85

b412b2c190b8406392406d9a8e3abce91c9014950bcf835eb7d9b50d0f128cb0

2b8b3f5b692f716116a1468b8d7b273baf7a6cef0726e831cd307d2f2c7452ec

f04715827e5453b33ba6fae8475b8c45150b27cc1361441648c46d13025283d2

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    URL/Domain

    userdomainname like "https://jlholgado.com/wp-content/themes/twentytwentyfour/zca2ck.php?id=1" or url like "https://jlholgado.com/wp-content/themes/twentytwentyfour/zca2ck.php?id=1" or userdomainname like "https://elpgtextil.com/wp-content/themes/twentytwentyfour/44snwx.php?id=1" or url like "https://elpgtextil.com/wp-content/themes/twentytwentyfour/44snwx.php?id=1" or userdomainname like "https://www.estudioemm.com/wp-content/themes/twentytwelve/d4kih3.php?id=1" or url like "https://www.estudioemm.com/wp-content/themes/twentytwelve/d4kih3.php?id=1" or userdomainname like "https://bitbucket.org/bitprotect/globalproject/src/main/" or url like "https://bitbucket.org/bitprotect/globalproject/src/main/" or userdomainname like "https://arbeitsschutz-mmk.de/plugins/search/contacts/chrndi.php?id=1" or url like "https://arbeitsschutz-mmk.de/plugins/search/contacts/chrndi.php?id=1" or userdomainname like "https://globalprojectvpn.com" or url like "https://globalprojectvpn.com" or userdomainname like "https://globalprotect.securedownload.today/GlobalProtect64.zip" or url like "https://globalprotect.securedownload.today/GlobalProtect64.zip" or userdomainname like "https://carniceriamartinezadria.com/wp-content/themes/twentytwentyfour/rleoec.php?id=1" or url like "https://carniceriamartinezadria.com/wp-content/themes/twentytwentyfour/rleoec.php?id=1"

    Hash

    sha256hash IN ("78f6f94aaa72e41d64e4dc309a3553399db2b4cd0edae5653ca4b6e7839e1215","e7e674218a7d93595e33a092f4f519a65499651a398ca350f5a50e135e64fa41","912cc2a3592b3b7835205d275cbf92bb66effc99cbd5cc338a223888de1b0d35","c3280452e7c96253b215342f2fac14634591adf68f88bcf7dc920d5f28022cd6","9a48f32e00877a4335206c7da45a94ca8bd46648d3a0bc88e0789dabf8139024","2add886330db1480da7314ee38428ca79af04f8c461c3bbbd68e202bb5f4c415","0de42118dd0cd861bea13de097457ccb407aae901b14e0bec59b0abe660cdf1f","1d6f76acecff63fb373b5774a3cb34b87266a4a4bbb8e3a0757d107187d280ee","2ab449666cf006125075e3ded8053cdfd318e4772d4145f0fa861f1d42cb2b08","d4eb9a4ee389f03c402e553724015af8d5b85835828bd66b1b45131b6837802f","c6c250e1cd6d5477b46871ffe17deac248d723ad45687fc54ae4fc5e3f45d91c","534c989d110ece8c429d2ded913933b961710726d8655b858474bc31dfed25c3","ec59616b1c80951d6597d4f25a9c031be0391151dc1073a5bece466473f0bdfe","551da6814a01a280afe90aa6bb238f499d98ad496c0d8472a1705540a6f422da","1c1d739f0282bfd9367e29ca81c61ed4a731e5150a836d0371e5e9d0121c9dfd","abce298ebb4ac7bc1a5167179875afc88e7e99475bf681953e8b964237b7d7ed","69a94bbed366bfd917dfd8fb6e5fd7ba52e2dbf338edd0c259654981060943c8","f1a49cea454bac3e78ac765b247b65d00c896d84de2028892b00d4310453c665","e07787caf52dd3e7dd0da600dbd1d909f3799dcebcdc60d101baf3ea17ef1e32","4f573ab13882efa234a79483d305b3001cb09c0a166ff94c925844b860162415","e693652763141522621f9fcd80efb30cefa363f8bd9bdc65e5ffbf9fb8d76d3b","0d495a94e29faa4dfded29253322be1b2c534a56c078bea1ad8f1dc1fd23b742","6aa4a830aa8d89b629fe87d3d3e986042215b5bcd670417933fca854b6dd58d9","148b29123bb0c28614858460d7a10707469fecebd6a9ff1da98a0c76a89a9819","4f2079cd2e228a2777df45ae00714c8679531fd8ad82a66b5c1b10e800771f18","5576ab87eb11ca4d2944bc1c2c6a8c349e18c7ded583c1ba9bd99eff9d8ac4d7","66735d0178badf035be0e142f4fb8e23d860bfc9bbdc3e12ad1f2764de91ee9b","a001642046a6e99ab2b412d96020a243a221e3819eaac94ab3251fad7d20614b","edec55f87e535f869119db44e4e7302081f53dbf33a27aaf905430cedc5a78b9","50810e4696dd075ca23349e3e1c3a87fc7b46ab89f4b1eb093a5cfb74f84cc51","8d5e185d53e81e90646d684dff7cb399973e3cde6d833e6f7431074f4362139a","0c44a46f1c8e46fe6b6f83ec249c95301aca1bc4765cee7bdadd021bbfd2ff66","76d1a876c90ec16f44685f795e64ab84bd2d3f5a91db659c9879b3461ee104f9","82ec4e1a6ddf6eeb4030d6dd698f4576d0445d4d5722d5c60b0cc74ac501bb85","b412b2c190b8406392406d9a8e3abce91c9014950bcf835eb7d9b50d0f128cb0","2b8b3f5b692f716116a1468b8d7b273baf7a6cef0726e831cd307d2f2c7452ec","f04715827e5453b33ba6fae8475b8c45150b27cc1361441648c46d13025283d2")

    Reference:

    https://unit42.paloaltonetworks.com/global-protect-vpn-spoof-distributes-wikiloader/


    Tags

    MalwarePhishing

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2024 by Gurucul - All rights reserved.