Article Details

New Malware Masquerades as Palo Alto VPN Targeting Middle East Users. Cybersecurity researchers have disclosed a new campaign that potentially targets users in the Middle East through malware that disguises itself as Palo Alto Networks GlobalProtect virtual private network (VPN) tool. "The malware can execute remote PowerShell commands, download and exfiltrate files, encrypt communications, and bypass sandbox solutions, representing a significant threat to targeted organizations," Trend Micro researcher Mohamed Fahmy said in a technical report. The sophisticated malware sample has been observed employing a two-stage process and involves setting up connections to command-and-control (C2) infrastructure that purports to be a company VPN portal, allowing the threat actors to operate freely without tripping any alarms. The initial intrusion vector for the campaign is currently unknown, although it's suspected to involve the use of phishing techniques to deceive users into thinking that they are installing the GlobalProtect agent. The activity has not been attributed to a specific threat actor or group. The starting point is a setup.exe binary that deploys the primary backdoor component called GlobalProtect.exe, which, when installed, initiates a beaconing process that alerts the operators of the progress. The first-stage executable is also responsible for dropping two additional configuration files (RTime.conf and ApProcessId.conf) that are used to exfiltrate system information to a C2 server (94.131.108[.]78), including the victim's IP address, operating system information, username, machine name, and sleep time sequence. "The malware implements an evasion technique to bypass behavior analysis and sandbox solutions by checking the process file path and the specific file before executing the main code block," Fahmy noted. The backdoor serves as a conduit to upload files, download next-stage payloads, and execute PowerShell commands. The beaconing to the C2 server takes place by means of the Interactsh open-source project. "The malware pivots to a newly registered URL, 'sharjahconnect' (likely referring to the U.A.E. emirate Sharjah), designed to resemble a legitimate VPN portal for a company based in the U.A.E.," Fahmy said. "This tactic is designed to allow the malware's malicious activities to blend in with expected regional network traffic and enhance its evasion characteristics."