Threat Actors Target Middle Eastern Organizations with Fake Palo Alto GlobalProtect Tool
The malware, disguised as the Palo Alto GlobalProtect tool, employs a multi-stage infection process and advanced command-and-control (C&C) infrastructure, posing significant risks to the affected entities.
Introduction
On August 29, 2024, cybersecurity researchers identified a sophisticated malware campaign targeting organizations in the Middle East. The malware, disguised as the Palo Alto GlobalProtect tool, employs a multi-stage infection process and advanced command-and-control (C&C) infrastructure, posing significant risks to the affected entities. The malware's ability to execute remote commands, exfiltrate files, and bypass security measures underlines the growing threat landscape in the region.
Report Overview
The discovery of this malware came from an in-depth analysis of a sample seemingly originating from the Middle East. The malware masquerades as a legitimate Palo Alto GlobalProtect tool, making it more likely for targeted organizations to fall victim. The threat actors behind this campaign have designed the malware to blend into the region's network traffic using a newly registered URL, "sharjahconnect," which mimics a VPN portal for a company based in Sharjah, UAE. This sophisticated disguise not only aids in initial infiltration but also ensures persistent access to compromised networks.
The malware operates in two stages, beginning with executing a file named setup.exe, which then deploys the main component, GlobalProtect.exe, along with configuration files RTime.conf and ApProcessId.conf. These files are strategically placed in the directory C:\Users\(UserName)\AppData\Local\Programs\PaloAlto\ to avoid suspicion.
The malware initiates a beaconing mechanism immediately after execution, communicating with hostnames like step[1-6]-[dsktoProcessId].tdyfbwxngpmixjiqtjjote3k9qwc31dsx.oast[.]fun. This beaconing allows the threat actors to track the infection's progress and gather critical information from the victim's machine, including IP addresses, operating system details, and encryption keys.
A notable feature of this malware is its sandbox evasion technique, where it checks the process file path before executing its main code block, thereby avoiding detection by behaviour analysis tools. Additionally, the malware uses AES encryption to secure its communications with the C&C server, making it harder to intercept and analyze its activities.
The implications of this malware are far-reaching, particularly for organizations in the Middle East. The malware's ability to execute remote PowerShell commands, download and execute additional payloads, and exfiltrate specific files indicates that it could lead to significant data breaches and operational disruptions. Using a familiar regional service for C&C activities increases the likelihood of successful intrusions. At the same time, geopolitical targeting suggests a potential for espionage or other state-sponsored activities.
Insights and Analysis
Given the sophistication of this malware, organizations must enhance their cybersecurity posture to mitigate such threats. Regular training sessions should be conducted to educate employees on the dangers of social engineering and how to recognize phishing attempts. Additionally, organizations should restrict access to sensitive data and systems to minimize the potential damage from a successful attack. Deploying robust security solutions that filter and block malicious content is crucial in preventing such attacks, and having a well-defined incident response plan is essential for effectively handling breaches and mitigating damage.
Indicators of Compromise (IOCs):
Indicator | Type | Description |
---|---|---|
79B38C4BE5AC888E38EC5F21AC3710F3D0936A72 | Hash | Associated with Setup.exe (Trojan.Win32.GLOBALSHADOW.A) |
72CDD3856A3FFD530DB50E0F48E71F089858E44 | Hash | Associated with GlobalProtect.exe (Backdoor.MSIL.GLOBALSHADOW.A) |
94.131.108.78 | IP Address | Associated with the C&C server. |
hxxp://94.131[.]108.78:7118/B/hi/ | URL | Used to return the result to the C&C server. |
hxxp://94.131[.]108.78:7118/B/desktop/ | URL | Used to upload machine information to the C&C server. |
portal[.]sharjahconnect.online | Domain | Likely C&C domain, mimicking a VPN portal. |
tdyfbwxngpmixjiqtjjote3k9qwc31dsx.oast.fun | Domain | Main domain for beaconing. |
step1-{dsktoProcessId}.tdyfbwxngpmixjiqtjjote3k9qwc31dsx.oast.fun | Domain | Beaconing during step 1 of the infection process. |
step2-{dsktoProcessId}.tdyfbwxngpmixjiqtjjote3k9qwc31dsx.oast.fun | Domain | Beaconing during step 2 of the infection process. |
step3-{dsktoProcessId}.tdyfbwxngpmixjiqtjjote3k9qwc31dsx.oast.fun | Domain | Beaconing during step 3 of the infection process. |
step4-{dsktoProcessId}.tdyfbwxngpmixjiqtjjote3k9qwc31dsx.oast.fun | Domain | Beaconing during step 4 of the infection process. |
step5-{dsktoProcessId}.tdyfbwxngpmixjiqtjjote3k9qwc31dsx.oast.fun | Domain | Beaconing during step 5 of the infection process. |
step6-{dsktoProcessId}.tdyfbwxngpmixjiqtjjote3k9qwc31dsx.oast.fun | Domain | Beaconing during step 6 of the infection process. |
MITRE ATT&CK Tactics and Techniques
Tactic | Technique | ID | Description |
---|---|---|---|
Command and Control | Application Layer Protocol | T1071.001 | The malware communicates with C&C servers using HTTP-based protocols. |
Defense Evasion | Obfuscated Files or Information | T1027 | The malware uses AES encryption to obfuscate its C&C communications. |
Defense Evasion | Virtualization/Sandbox Evasion | T1497 | The malware checks process file paths to evade sandbox detection. |
Comments ()