New Malware Masquerades as Palo Alto VPN Targeting Middle East Users

Cyber Security

Products You May Like

Aug 30, 2024Ravie LakshmananMalware / Network Security

Cybersecurity researchers have disclosed a new campaign that potentially targets users in the Middle East through malware that disguises itself as Palo Alto Networks GlobalProtect virtual private network (VPN) tool.

“The malware can execute remote PowerShell commands, download and exfiltrate files, encrypt communications, and bypass sandbox solutions, representing a significant threat to targeted organizations,” Trend Micro researcher Mohamed Fahmy said in a technical report.

The sophisticated malware sample has been observed employing a two-stage process and involves setting up connections to command-and-control (C2) infrastructure that purports to be a company VPN portal, allowing the threat actors to operate freely without tripping any alarms.

Cybersecurity

The initial intrusion vector for the campaign is currently unknown, although it’s suspected to involve the use of phishing techniques to deceive users into thinking that they are installing the GlobalProtect agent. The activity has not been attributed to a specific threat actor or group.

The starting point is a setup.exe binary that deploys the primary backdoor component called GlobalProtect.exe, which, when installed, initiates a beaconing process that alerts the operators of the progress.

The first-stage executable is also responsible for dropping two additional configuration files (RTime.conf and ApProcessId.conf) that are used to exfiltrate system information to a C2 server (94.131.108[.]78), including the victim’s IP address, operating system information, username, machine name, and sleep time sequence.

“The malware implements an evasion technique to bypass behavior analysis and sandbox solutions by checking the process file path and the specific file before executing the main code block,” Fahmy noted.

The backdoor serves as a conduit to upload files, download next-stage payloads, and execute PowerShell commands. The beaconing to the C2 server takes place by means of the Interactsh open-source project.

Cybersecurity

“The malware pivots to a newly registered URL, ‘sharjahconnect’ (likely referring to the U.A.E. emirate Sharjah), designed to resemble a legitimate VPN portal for a company based in the U.A.E.,” Fahmy said.

“This tactic is designed to allow the malware’s malicious activities to blend in with expected regional network traffic and enhance its evasion characteristics.”

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Products You May Like

Articles You May Like

APT-C-60 Group Exploit WPS Office Flaw to Deploy SpyGlace Backdoor
OpenAI and Anthropic agree to let U.S. AI Safety Institute test and evaluate new models
Apple and Google wallets want to help make the hotel room key card obsolete
Oppo Enco Air 4 With Active Noise Cancellation, IP55 Rating Unveiled: Price, Specifications
Atlantic Ocean Might Be Undergoing a Rapid Cooling Near Equator And Scientists Do Not Know Why

Leave a Reply

Your email address will not be published. Required fields are marked *