BIGFISH TECHNOLOGY LIMITED
30 August 2024

Fake Palo Alto GlobalProtect is used as a bait for backdoor companies.

Threat actors target Middle Eastern enterprises using malware masquerading as the genuine Palo Alto GlobalProtect Tool, which can steal data and execute remote PowerShell instructions to further breach internal networks.

Palo Alto GlobalProtect is a legitimate security solution provided by Palo Alto Networks that enables safe VPN connection with multi-factor authentication. Organizations widely use the solution to ensure that remote employees, contractors, and partners have secure access to private network resources.

utilizing Palo Alto GlobalProtect as bait reveals that attackers target high-value business entities utilizing enterprise software rather than random people.

Enterprise VPN software as a lure.
Researchers at Trend Micro, who uncovered this campaign, have no idea how the virus is distributed, but based on the enticement, they suspect the attack begins with a phishing email.

The victim runs a file called'setup.exe' on their computer, which installs a file called 'GlobalProtect.exe' as well as configuration files.

At this point, a popup simulating a standard GlobalProtect installation process displays, but the virus discreetly loads onto the device in the background.

It checks for indicators of running in a sandbox before executing its main code. Then it sends profile information about the compromised system to the command and control (C2) server.

As an additional evasion layer, the malware encrypts the strings and data packets that will be exfiltrated to the C2.

The C2 IP detected by Trend Micro used a newly registered URL containing the "sharjahconnect" string, making it appear to be a legal VPN connection portal for Sharjah-based offices in the United Arab Emirates.

Given the campaign's targeting scope, this choice allows the threat actors to blend in with normal operations while reducing red flags that could raise the victim's suspicion.

Using the Interactsh open-source tool, beacons are sent out at regular intervals to communicate the malware status with threat actors during the post-infection phase.

While Interactsh is a legal open-source application used by pentesters, its linked domain, oast.fun, has already been spotted in APT-level operations, such as the APT28 campaigns. However, no attribution was provided in this operation involving the Palo Alto product lure.

From the command and control server, the following commands were received:

- time to reset: Stops virus activity for a predetermined amount of time.
- pw: Sends the output of a PowerShell script to the attacker's server after execution.
- PR Wtime: Is used to read or write a wait time to a variable.
- pr create-process: Returns the output after initiating a new process.
- PR DNLD: This command downloads a file from a given URL.
- pr upl: Uploads a file to a remote server.
- Incorrect kind of command: This message is returned when an incorrect or unidentified command is encountered.

Trend Micro reports that, while the attackers are unknown, the operation looks to be highly targeted, with unique URLs for the targeted companies and newly established C2 domains to avoid blocklists.

 

Source: Bleeping Computer