Alert: Users At Risk Amid Palo Alto VPN Disguised Malware
Recent cybersecurity research claims that a new malware campaign masking itself as the Palo Alto VPN, GlobalProtect, is now targeting users in the Middle East. It has been observed that the malware employs a two-stage attack. In this article, we’ll look at what the malware is and the dangers it exposes Middle Eastern users to. Let’s begin!
Palo Alto VPN Malware Uncovered
The Palo Alto VPN malware campaign has been brought to light due the recent cybersecurity research. In a technical report, Mohamed Fahmy from Trend Micro, has stated that:
“The malware can execute remote PowerShell commands, download and exfiltrate files, encrypt communications, and bypass sandbox solutions, representing a significant threat to targeted organizations.”
Apart from this, the Palo Alto attack uses a two stage process that involves setting up connection to the command-and-control (C2) infrastructure. The infrastructure appears to be a company VPN portal. This portal ensures that threat actors can operate without any restrictions and without being detected.
Although the initial vector used for intrusion in the malware attack is unknown, it’s suspected the use of phishing techniques are involved. Such techniques are designed to deceive users into thinking that they are installing the GlobalProtect VPN agent. However, such a tactic has not been attributed to a particular threat actor or group.
GlobalProtect VPN Malware Attack Sequence
As per recent reports, the initiating point of the Palo Alto VPN malware is a setup.exe. This executable is used for deploying the primary backdoor component of the GlobalProtect.ext. When the Palo Alto VPN is installed on a device, it initiates a beaconing process that provides operators with alerts pertaining to the progress.
It’s worth mentioning here that the first-stage executable is also responsible for two additional payloads referred to as (RTime.conf and ApProcessId.conf). These payloads are used to exfiltrate system information from a C2 server (94.131.108[.]78). The exfiltrated information can include:
- Username.
- Machine name.
- Sleep time sequence.
- The IP address of the victim.
- Operating system information.
Shedding further light on the Palo Alto VPN malware, cybersecurity researcher Fahmy has stated that:
“The malware implements an evasion technique to bypass behavior analysis and sandbox solutions by checking the process file path and the specific file before executing the main code block.”
The primary backdoor component of the VPN is as a conduit aiding in the multiple operations throughout the attack. Common examples of such operations include uploading files, downloading next-stage payload, and the execution of PowerShell commands.
As for the evasion, the malware pivots to a new URL “sharjahconnect” and is designed to bear close resemblance to an actual VPN portal of a UAE based company. The use of such evasion tactics helps threat actors blend malicious activities with regional network traffic.
Conclusion
The Palo Alto VPN malware poses a serious threat, using advanced evasion techniques and disguising itself as a legitimate VPN tool. By exploiting unsuspecting users through phishing and stealthy C2 connections, this campaign emphasizes the need for enhanced vigilance and proactive cybersecurity measures in the Middle East. Stay protected!
The sources for this piece include articles in The Hacker News and Trend Micro.