Cybersecurity experts at Trend Micro have uncovered a sophisticated malware campaign targeting users in the Middle East. The malicious software cleverly disguises itself as Palo Alto Networks’ GlobalProtect, a widely-used VPN tool, raising concerns about potential widespread corporate network infiltrations.
The Deception: Malware Mimicking Trusted VPN Software
While the initial attack vector remains unclear, researchers suspect that cybercriminals are employing phishing tactics to deceive victims into believing they’re installing the legitimate GlobalProtect software. This approach is particularly concerning given that GlobalProtect is extensively used by organizations to provide secure remote access to private network resources for employees, contractors, and partners.
The malware’s primary target appears to be large companies utilizing the GlobalProtect product, potentially granting attackers access to sensitive corporate data and systems.
Infection Process and Malware Capabilities
The infection chain begins with a binary file named setup.exe, which deploys the main backdoor component disguised as GlobalProtect.exe. Once active, the malware initiates a “beacon” to alert its operators of successful installation.
Additionally, the first-stage executable delivers two configuration files (RTime.conf and ApProcessId.conf) used for system data theft. The malware collects crucial information, including:
- Victim’s IP address
- Operating system details
- Username
- Machine name
- System sleep time data
This harvested data is then transmitted to the attackers’ command and control (C2) server at 94.131.108[.]78.
Advanced Evasion Techniques
To evade detection, the malware employs AES encryption for strings and data packets during communication with its C2 server. Furthermore, the C2 server utilizes a recently registered URL containing the string “sharjahconnect,” likely an attempt to mimic access to a legitimate VPN portal in the Emirate of Sharjah, UAE.
Backdoor Functionality and Command Execution
The malware’s backdoor serves as a conduit for downloading additional files and next-stage payloads, as well as executing PowerShell commands. Data transfer to the C2 server is facilitated using the open-source Interactsh solution.
The malware can receive and execute various commands from its C2 server, enabling attackers to maintain persistent control over infected systems and potentially expand their reach within compromised networks.
This sophisticated malware campaign underscores the importance of robust cybersecurity measures, especially for organizations relying on VPN solutions for remote access. Users and IT administrators should remain vigilant, verify software sources, and implement multi-layered security protocols to mitigate the risks posed by such deceptive malware attacks.