Security experts from Palo Alto Networks has discovered a campaign new attack, in which hackers use tricks sophisticated to spread malicious code through search results on Google.
Fatal flaw in the network, causing hackers to attack users“Unique way” of the new files that user email trap
According to the report of the security division network Unit 42 of Palo Alto Networks, the hackers have tampered software VPN GlobalProtect, placing ads on Google Search to entice users to visit the malicious website.
WikiLoader can download the additional load, stolen information and provide attackers remote access. The download for this rental has been active since at least the end of 2022 and has been updated with “a number of unique tricks”.
The researchers believe that these guys brokers visit original the threat experts find a way to access computer systems are shifting from deceptive to perform attacks via poisoned SEO (optimized search engine).
Poison SEO means is the site of the attack control will appear on the first page of search results instead of the legitimate product. Hackers try to make this by buying ads, or to improve page rank.
Researchers in Palo Alto warned that the poison SEO will expand the range of potential victims and have observed a number of organizations in the field of education, university and transport of the United States affected by WikiLoader.
“Although SEO poisoning is not a new technique, but it is still an effective way to deliver a load to a point at one end. The fake security software can reliably help bypass measures to control the end point in the organization based on the allowed list based on the name of the file,” the report of Unit 42 said.
Proofpoint have previously reported that the attackers had used WikiLoader to distribute the trojan bank as Danabot or Ursnif/Gozi to the organization in Italy.
The attackers have used many tricks to avoid detection. The sample file obtained from the victim, whose name is GlobalProtect64. However, it is the copy is the name of an app that trades stock legally be used to load components WikiLoader first. The zip file contains more than 400 files offline.
To prevent victims wonder why GlobalProtect is not installed, the malware will display fake error messages saying that the DLL is missing after the infectious process is complete.
The legitimate software was changed to another name, such as tool Microsoft Sysinternals ADInsight.exe was hidden inside the installer to download the door.
The expert recommends that users need to be cautious when downloading software from the internet, especially from the search results on Google. Please always carefully check the origin and authenticity of the website before you download any files whatsoever.
Source: laodongthudo.vn