SEO poisoning and VPN spoofing used to target anything and everything with WikiLoader malware

A digital themed isometric showing a neon padlock in the foreground, and a technological diagram of a processor logic board in the background.

(Image credit: Shutterstock / JLStock)

Hackers deploying the WikiLoader malware are shifting tactics, moving away from phishing and into SEO poisoning and VPN spoofing. This is according to a new report from cybersecurity researchers from Palo Alto Networks’ Unit 42, which said that the new tactics, observed a few months ago, are broadening the scope of possible victims.

In June this year, Unit 42 started tracking websites that claimed to offer GlobalProtect for download. GlobalProtect is Palo Alto Networks' VPN (Virtual Private Network) solution. It provides secure remote access for users who are outside the corporate network, ensuring that their connections to the network are secure and that their traffic is protected.

The websites were obviously fake and the products offered for download there were spoofed, and also carry a piece of malware. After creating the websites, the hackers engaged in SEO poisoning, to get the sites to rank well on search engines such as Google, or Bing.

WikiLoader

SEO poisoning is a tactic in which hackers link back to the malicious site from countless different sources, tricking the search engines into deeming the website as a credible source of information.

As a consequence, when people query for different terms (for example, a VPN service), the search engines would return the malicious site relatively high up on the results page, increasing the chances of people picking up the malware.

The malware being distributed in this campaign is called WikiLoader. Also known as WailingCrab, this multistage malware loader serves as the gatekeeper which allows malicious actors to drop additional payloads, as they see fit. As such, it is usually deployed by initial access brokers (IAB), which later sell the access to the loader to a third party, which can then do with it how it pleases.

Unit 42 primarily observed WikiLoader affecting the U.S. higher education and transportation sectors, the company said, but with SEO poisoning affecting everyone, chances are that other people will get infected, too.

More from TechRadar Pro

This malware pretends to be a real VPN service to lure in victims
Here's a list of the best firewalls around today
These are the best endpoint security tools right now

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.