GoKawiilA threat actor tracked as Storm-2561 is distributing fake enterprise VPN clients from Ivanti, Cisco, and Fortinet to steal VPN credentials from unsuspecting users.
The attackers manipulate search results (SEO poisoning) for common queries like “Pulse VPN download” or “Pulse Secure client” to redirect victims to spoofed VPN vendor sites that closely mimic VPN solutions from legitimate software vendors.
After examining the attack and command-and-control (C2) infrastructure, Microsoft researchers discovered that the same campaign used domains related to Sophos, Sonicwall, Ivanti, Check Point, Cisco, WatchGuard, and others, targeting users of multiple enterprise VPN products.
In the observed attack, Microsoft found that the fake sites link to a GitHub repository (now taken down) that hosts a ZIP archive containing a fake VPN MSI installer.
Fake Fortinet website
Source: Microsoft
When executed, this file installs ‘Pulse.exe’ into %CommonFiles%\Pulse Secure, and drops a loader (dwmapi.dll) and a variant of the Hyrax infostealer (inspector.dll).
The fake VPN client displays a legitimate-looking login interface that invites victims to enter their credentials, which are captured and exfiltrated to the attacker's infrastructure.
The malware, which is digitally signed with a legitimate, but now revoked, certificate from Taiyuan Lihua Near Information Technology Co., Ltd., also steals VPN configuration data stored in the ‘connectionsstore.dat’ file from the legitimate program’s directory.
To reduce suspicion, the fake VPN client displays an installation error after stealing the credentials, and redirects them to the real vendor’s site to download the legitimate VPN client.
... continue reading