Malware disguising itself as the authentic Palo Alto GlobalProtect Tool is employed by malicious actors to target Middle Eastern firms. This malware can steal data and run remote PowerShell commands to further penetrate company networks. A reliable security solution from Palo Alto Networks that supports multi-factor authentication and offers secure VPN access is called Palo Alto GlobalProtect.
The tool is frequently used by businesses to guarantee that partners, contractors, and distant workers may securely access private network resources. By utilising Palo Alto GlobalProtect as bait, it is evident that attackers target high-value business entities that use enterprise software, as opposed to random users.
Trend Micro researchers have not been able to figure out how the malware is delivered, but based on the bait employed, they believe the attack begins with a phishing email. It checks for indicators of running in a sandbox before executing its main code. Then it sends profile information about the compromised system to the command and control (C2) server.
As an additional evasion layer, the malware encrypts the strings and data packets that will be exfiltrated to the C2. The C2 IP detected by Trend Micro used a newly registered URL containing the "sharjahconnect" string, making it appear to be a legal VPN connection portal for Sharjah-based offices in the United Arab Emirates. Given the campaign's targeting scope, this choice allows the threat actors to blend in with normal operations while minimising warning signs that could raise the victim's suspicion.
Using the Interactsh open-source tool, beacons are sent out at regular intervals to communicate the malware status with threat actors during the post-infection phase. While Interactsh is a legal open-source tool employed by pentesters, its linked domain, oast.fun, has already been spotted in APT-level operations, such as the APT28 campaigns. However, no attribution was provided in this operation involving the Palo Alto product lure.
The following commands were received from the command and control server:
- time to reset: Stops malware operations for a specified duration.
- pw: Implements a PowerShell script and sends the result to the hacker's server.
- pr wtime: Reads or writes a wait time to a file.
- pr create-process: Starts a new process and returns the output.
- pr dnld: Downloads a file from a specified URL.
- pr upl: Uploads a file to a remote server.
- invalid command type: Returns this message if an unrecognized or erroneous command is encountered.
Trend Micro reports that, while the attackers are unknown, the operation looks to be highly targeted, with unique URLs for the targeted companies and newly established C2 domains to avoid blocklists.
