Back

Threat Actors Target the Middle East Using Fake Palo Alto GlobalProtect Tool

Aug. 30, 2024, 8:37 a.m.

Tags

malware
phishing
evasion
globalprotect
2024-08-30
cnc
globalprotect.exe

External References

https://www.trendmicro.com/

https://www.trendmicro.com/

https://otx.alienvault.com/

Description

Cybercriminals are employing a sophisticated two-stage malware campaign masquerading as the Palo Alto GlobalProtect tool to infiltrate systems in the Middle East region. The malware leverages a complex command-and-control infrastructure, involving newly registered domains designed to resemble legitimate VPN portals. It utilizes the Interactsh project for beaconing and maintains stealth through encryption and sandbox evasion techniques, enabling remote code execution, payload deployment, and data exfiltration on compromised hosts.

Date

Published Created Modified
Aug. 30, 2024, 8:16 a.m. Aug. 30, 2024, 8:16 a.m. Aug. 30, 2024, 8:37 a.m.

Indicators

http://94.131.108.78:7118/B/hi/

http://94.131.108.78:7118/B/desktop/

Attack Patterns

GlobalProtect.exe

T1608

T1105

T1071

T1027

T1059

CVE-2023-22527

Additional Informations

United Arab Emirates