Malware Disguised as GlobalProtect VPN
Summary
Cybersecurity researchers have identified a new malware campaign targeting users in the Middle East. The malware, disguised as the Palo Alto Networks GlobalProtect VPN tool, demonstrates a sophisticated infection chain and utilizes advanced Command and Control (C&C) infrastructure to evade detection. This advisory provides a detailed analysis of the threat, including Indicators of Compromise (IoCs), and offers recommendations for mitigation.
Affected Regions
- Middle East
Threat Overview
- Malware Type: Backdoor Malware
- Disguise: Palo Alto Networks GlobalProtect VPN Tool
- Infection Vector: Likely Phishing Emails
- Capabilities:
- Remote PowerShell command execution
- File exfiltration
- Encrypted communication
- Sandbox evasion techniques
Detailed Analysis
Infection Chain
The malware is introduced to the target system via a phishing campaign that deceives users into downloading a fake GlobalProtect VPN installer (setup.exe). The following is the infection process:
- Initial Payload: The malware begins with the execution of
setup.exe, which installs the primary malware componentGlobalProtect.exe. - Configuration Files: Two configuration files,
RTime.confandApProcessId.conf, are dropped into the system to assist in data collection and exfiltration. - Beaconing Process:
GlobalProtect.exeinitiates beaconing to notify the threat actors of the infection status using the Interactsh open-source project for DNS-based C&C communication.
Behavior and Command Execution
The malware executes a range of commands to maintain persistence and exfiltrate data:
- Sandbox Evasion: The malware checks the file path and specific files before executing its main code to avoid detection.
- Data Collection: The malware gathers machine details such as IP address, OS version, username, and machine name.
- Command Execution: It supports commands for file upload, download, process creation, and PowerShell execution.
- Encryption: All communication with the C&C server is encrypted using AES (ECB mode).
Indicators of Compromise (IoCs)
The following IoCs are associated with this campaign:
IP Addresses:
- 94[.]131[.]108[.]78
Domains:
- portal[.]sharjahconnect[.]online
- tdyfbwxngpmixjiqtjjote3k9qwc31dsx[.]oast[.]fun
- step1-{dsktoProcessId}[.]tdyfbwxngpmixjiqtjjote3k9qwc31dsx[.]oast[.]fun
- step2-{dsktoProcessId}[.]tdyfbwxngpmixjiqtjjote3k9qwc31dsx[.]oast[.]fun
- step3-{dsktoProcessId}[.]tdyfbwxngpmixjiqtjjote3k9qwc31dsx[.]oast[.]fun
- step4-{dsktoProcessId}[.]tdyfbwxngpmixjiqtjjote3k9qwc31dsx[.]oast[.]fun
- step5-{dsktoProcessId}[.]tdyfbwxngpmixjiqtjjote3k9qwc31dsx[.]oast[.]fun
- step6-{dsktoProcessId}[.]tdyfbwxngpmixjiqtjjote3k9qwc31dsx[.]oast[.]fun
Recommendations
To mitigate the risk posed by this malware, cybersecurity researchers recommend the following measures:
- User Awareness and Training: Conduct ongoing training sessions to educate users about phishing tactics and recognizing malicious software.
- Apply the Principle of Least Privilege: Limit user access to essential data and systems to reduce the impact of potential breaches.
- Implement Advanced Email and Web Security: Deploy robust solutions to filter and block phishing attempts and other malicious content.
- Establish a Comprehensive Incident Response Plan: Develop and maintain an incident response plan to quickly address and mitigate social engineering and malware attacks.
Sources
- Trend Micro - https://www.trendmicro.com/en_us/research/24/h/threat-actors-target-middle-east-using-fake-tool.html
- The Hacker News - https://thehackernews.com/2024/08/new-malware-masquerades-as-palo-alto.html?m=1
Conclusion
The malware targeting the Middle East demonstrates a high level of sophistication, leveraging dynamic C&C infrastructure and advanced evasion techniques. The use of domain masquerading and targeted phishing suggests a campaign possibly driven by geopolitical or economic motivations. This underscores the importance of adopting robust cybersecurity measures to detect and mitigate such threats.