HQ/EMEAFind out how we can help your business
Hackers are using a fake Palo Alto GlobalProtect Tool as bait to breach Middle Eastern entities and infect them with malware that can steal data and run remote PowerShell prompts to infiltrate targeted internal networks.
Palo Alto GlobalProtect is a legitimate security solution provided by Palo Alto Networks that enables a safe VPN connection with MFA. Organisations use the solution to ensure remote employees, contractors, and partners secure access to private network resources.
However, threat actors have developed a bait that utilises Palo Alto GlobalProtect, indicating that the attackers target high-value business entities through enterprise software rather than random individuals.
On the other hand, the researchers who uncovered this campaign do not know how the virus is distributed, but they suspect that the attack starts with a phishing email.
Once a victim runs a file called ‘setup.exe’ on their computer, which installs a file called ‘GlobalProtect.exe’ and configuration files, a popup simulating a standard GlobalProtect installation process will be displayed. Still, the virus will discreetly load onto the device in the background.
In addition, the infection process scans for indicators of running in a sandbox before executing its primary payload. Then, it sends profile information about the compromised system to the attacker-controlled C2 server. As an additional evasion layer, the malware encrypts the strings and data packets that will be exfiltrated to the command-and-control server.
Threat actors who leverage the fake Palo Alto GlobalProtect Tool hid it in a legal VPN connection portal.
According to investigations, a newly detected C2 IP used a newly registered URL containing the “sharjahconnect” string that possibly holds the fake Palo Alto GlobalProtect Tool. This technique could make the attack appear to be a legal VPN connection portal for Sharjah-based offices in the UAE.
Given the campaign’s targeted industry and region, this choice allows the threat actors to blend in with normal operations while reducing red flags that could raise suspicion. Furthermore, the attackers use the Interactsh open-source tool as beacons that they send regularly to communicate with the malware status during the post-infection phase.
While Interactsh is a legal open-source application used by pen-testers, its linked domain, oast.fun, has already been spotted in APT-level operations, such as the APT28 campaigns. However, the operators of these campaigns are still unknown, and the operation seems highly targeted.
