Malware Disguised as GlobalProtect VPN

Malware Disguised as GlobalProtect VPN

Summary

Cybersecurity researchers have identified a new malware campaign targeting users in the Middle East. The malware, disguised as the Palo Alto Networks GlobalProtect VPN tool, demonstrates a sophisticated infection chain and utilizes advanced Command and Control (C&C) infrastructure to evade detection. This advisory provides a detailed analysis of the threat, including Indicators of Compromise (IoCs), and offers recommendations for mitigation.

Affected Regions

  • Middle East

Threat Overview

  • Malware Type: Backdoor Malware
  • Disguise: Palo Alto Networks GlobalProtect VPN Tool
  • Infection Vector: Likely Phishing Emails
  • Capabilities:
    • Remote PowerShell command execution
    • File exfiltration
    • Encrypted communication
    • Sandbox evasion techniques

Detailed Analysis

Infection Chain

The malware is introduced to the target system via a phishing campaign that deceives users into downloading a fake GlobalProtect VPN installer (setup.exe). The following is the infection process:

  1. Initial Payload: The malware begins with the execution of setup.exe, which installs the primary malware component GlobalProtect.exe.
  2. Configuration Files: Two configuration files, RTime.conf and ApProcessId.conf, are dropped into the system to assist in data collection and exfiltration.
  3. Beaconing Process: GlobalProtect.exe initiates beaconing to notify the threat actors of the infection status using the Interactsh open-source project for DNS-based C&C communication.

Behavior and Command Execution

The malware executes a range of commands to maintain persistence and exfiltrate data:

  • Sandbox Evasion: The malware checks the file path and specific files before executing its main code to avoid detection.
  • Data Collection: The malware gathers machine details such as IP address, OS version, username, and machine name.
  • Command Execution: It supports commands for file upload, download, process creation, and PowerShell execution.
  • Encryption: All communication with the C&C server is encrypted using AES (ECB mode).

Indicators of Compromise (IoCs)

The following IoCs are associated with this campaign:

IP Addresses:

  • 94[.]131[.]108[.]78

Domains:

  • portal[.]sharjahconnect[.]online
  • tdyfbwxngpmixjiqtjjote3k9qwc31dsx[.]oast[.]fun
  • step1-{dsktoProcessId}[.]tdyfbwxngpmixjiqtjjote3k9qwc31dsx[.]oast[.]fun
  • step2-{dsktoProcessId}[.]tdyfbwxngpmixjiqtjjote3k9qwc31dsx[.]oast[.]fun
  • step3-{dsktoProcessId}[.]tdyfbwxngpmixjiqtjjote3k9qwc31dsx[.]oast[.]fun
  • step4-{dsktoProcessId}[.]tdyfbwxngpmixjiqtjjote3k9qwc31dsx[.]oast[.]fun
  • step5-{dsktoProcessId}[.]tdyfbwxngpmixjiqtjjote3k9qwc31dsx[.]oast[.]fun
  • step6-{dsktoProcessId}[.]tdyfbwxngpmixjiqtjjote3k9qwc31dsx[.]oast[.]fun

Recommendations

To mitigate the risk posed by this malware, cybersecurity researchers recommend the following measures:

  1. User Awareness and Training: Conduct ongoing training sessions to educate users about phishing tactics and recognizing malicious software.
  2. Apply the Principle of Least Privilege: Limit user access to essential data and systems to reduce the impact of potential breaches.
  3. Implement Advanced Email and Web Security: Deploy robust solutions to filter and block phishing attempts and other malicious content.
  4. Establish a Comprehensive Incident Response Plan: Develop and maintain an incident response plan to quickly address and mitigate social engineering and malware attacks.

Sources

Conclusion

The malware targeting the Middle East demonstrates a high level of sophistication, leveraging dynamic C&C infrastructure and advanced evasion techniques. The use of domain masquerading and targeted phishing suggests a campaign possibly driven by geopolitical or economic motivations. This underscores the importance of adopting robust cybersecurity measures to detect and mitigate such threats.