Malware Campaign Targeting Middle Eastern Organizations with Fake Palo Alto GlobalProtect Tool

by | Aug 30, 2024 | News

Malware Campaign Targeting Middle Eastern Organizations with Fake Palo Alto GlobalProtect Tool

Post Views: 125




Join our Patreon Channel and Gain access to 70+ Exclusive Walkthrough Videos.

Patreon
Reading Time: 3 Minutes

A recent malware campaign discovered by researchers at Trend Micro, has been targeting Middle Eastern organizations, leveraging a malicious tool disguised as the legitimate Palo Alto GlobalProtect software. This malware is designed to steal data and execute remote PowerShell commands, enabling attackers to infiltrate internal networks further.

Palo Alto GlobalProtect is a legitimate security solution offered by Palo Alto Networks, providing secure VPN access with multi-factor authentication. It’s widely used by organizations to ensure that remote employees, contractors, and partners can securely access private network resources. The use of this tool as a lure indicates that the attackers are targeting high-value corporate entities that use enterprise software, rather than random individuals.

Delivery Method and Installation

The campaign is believed to start with a phishing email, which prompts the victim to execute a file named ‘setup.exe.’ This file deploys another file called ‘GlobalProtect.exe’ along with configuration files. During this process, a window resembling the normal GlobalProtect installation process appears, but in the background, the malware is being installed on the system.

Fake GlobalProtect installer windowFake GlobalProtect installer window
Source: Trend Micro

Once executed, the malware checks for signs of running in a sandbox environment before proceeding with its primary code. It then transmits profiling information about the breached machine to the command and control (C2) server. To evade detection, the malware uses AES encryption on its strings and data packets that are exfiltrated to the C2 server.

See Also: So, you want to be a hacker?
Offensive Security, Bug Bounty Courses




Discover your weakest link. Be proactive, not reactive. Cybercriminals need just one flaw to strike.

Command and Control Communication

The command and control address used by the malware includes the string “sharjahconnect,” making it appear like a legitimate VPN connection portal for Sharjah-based offices in the United Arab Emirates. This strategic choice helps the threat actors blend in with normal operations and reduces the likelihood of raising suspicion among victims.

The malware uses beacons sent out at periodic intervals to communicate its status to the threat actors in the post-infection phase. These communications use the Interactsh open-source tool, which is commonly used by pentesters but has also been observed in advanced persistent threat (APT) operations.

Commands Executed by the Malware

The malware can execute several commands received from the C2 server:

  1. time to reset: Pauses malware operations for a specified duration.
  2. pw: Executes a PowerShell script and sends the result to the attacker’s server.
  3. pr wtime: Reads or writes a wait time to a file.
  4. pr create-process: Starts a new process and returns the output.
  5. pr dnld: Downloads a file from a specified URL.
  6. pr upl: Uploads a file to a remote server.
  7. invalid command type: Returns this message if an unrecognized or erroneous command is encountered.

Overview of the attackOverview of the attack
Source: Trend Micro

Trending: How Companies Risk Security for Compliance Comfort in Pentesting




Trending: Digital Forensics Tool: Horus

Evasion Techniques and Targeting

The campaign uses custom URLs and freshly registered domains to evade blocklists and blend in with normal operations, thereby reducing suspicion from victims. This high degree of targeting focuses on specific entities within the Middle East, particularly those in high-value sectors.

Mitigation and Recommendations

Organizations should be aware of phishing campaigns that use legitimate software as a lure. It is essential to verify the authenticity of software installation sources and processes. Strong endpoint protection and network monitoring should be implemented to detect and respond to suspicious activities. Additionally, ensuring that all software, including security tools like VPN clients, is up to date with the latest patches and security updates is crucial.

Trending: Hackers Leak 2.7 Billion Records: Social Security Numbers and Addresses Compromised

Are u a security researcher? Or a company that writes articles about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing? If you want to express your idea in an article contact us here for a quote: [email protected]

Source: bleepingcomputer.com

Source Link

Merch

Recent News

EXPLORE OUR STORE

Offensive Security & Ethical Hacking Course

Begin the learning curve of hacking now!

Information Security Solutions

Find out how Pentesting Services can help you.

Join our Community

Share This