Malware Masquerading as Palo Alto GlobalProtect Tool Targets Middle East Users

Users in the Middle East are being targeted by sophisticated threat actors deploying malware disguised as the Palo Alto GlobalProtect tool, Trend Micro has revealed.

The malware employs a two-stage infection process, leveraging advanced command-and-control (C&C) infrastructure to evade detection and maintain persistent access to compromised systems.

The infection begins with a malicious setup.exe file, which initiates contact with specific hostnames to report infection progress and collect victim data.

The malware uses the Interactsh project, a tool originally intended for penetration testing for beaconing purposes. This allows the attackers to monitor which targets advance through the infection chain, further enhancing their control over the compromised networks.

Notably, the malware communicates with a URL resembling a company VPN portal to blend in with legitimate traffic. Written in C#, the malware is capable of executing remote PowerShell commands, downloading additional payloads, exfiltrating files, and encrypting communications.

Trend Micro’s findings include the following:

Dynamic C&C Infrastructure: The malware shifts to a newly registered URL, “sharjahconnect,” which likely references the UAE emirate Sharjah. This URL is crafted to mimic a legitimate VPN portal for a UAE-based company, allowing the malware to blend seamlessly with regional network traffic and enhancing its ability to evade detection.

Domain Masquerading: By imitating a trusted regional service, the attackers exploit established trust relationships, increasing the likelihood of successful command-and-control (C&C) communications.

Geopolitical Targeting: The regional focus of the domain and the origin of the submission indicate a targeted campaign against Middle Eastern entities, potentially motivated by geopolitical or economic espionage.

Use of Newly Registered Domains: Leveraging newly created domains for C&C activities helps attackers circumvent blacklists and complicates attribution efforts.

An Ounce of Prevention

Given the likely use of social engineering to lure victims into downloading fake tools and services, entities and individuals must prioritize defense against such tactics.

Trend Micro recommends a multi-layered approach combining education, policies, technology, and vigilance is essential:

• User Awareness and Training: Regular training sessions on social engineering attack types, updates on new tactics, and educating employees to recognize common warning signs can help reduce the risk of falling for social engineering schemes.
• Principle of Least Privilege: Limiting employee access to only the data and systems necessary for their roles minimizes the impact of a breach by reducing attackers’ access to critical information.
• Email and Web Security: Deploying robust email and web security solutions can help filter out and block malicious content before it reaches users.
• Incident Response Plan: Establishing a well-defined incident response plan is key for effectively managing social engineering attacks. This includes immediate actions to contain and mitigate the threat.