Threat Actors Target the Middle East Using Fake Palo Alto GlobalProtect Tool

Aug. 30, 2024, 8:37 a.m.

Description

Cybercriminals are employing a sophisticated two-stage malware campaign masquerading as the Palo Alto GlobalProtect tool to infiltrate systems in the Middle East region. The malware leverages a complex command-and-control infrastructure, involving newly registered domains designed to resemble legitimate VPN portals. It utilizes the Interactsh project for beaconing and maintains stealth through encryption and sandbox evasion techniques, enabling remote code execution, payload deployment, and data exfiltration on compromised hosts.

External References

https://www.trendmicro.com/content/dam/trendmicro/global/en/research/24/h/fake-palo-alto-globalprotect-tool/ioc-threat-actors%20-target%20-the-middle-east-using-fake-palo-alto-globalprotect-tool.txt
https://www.trendmicro.com/en_us/research/24/h/threat-actors-target-middle-east-using-fake-tool.html
https://otx.alienvault.com/pulse/66d17fd3f4cb0df8356f89cb
Tags
malware
phishing
evasion
globalprotect
2024-08-30
cnc
globalprotect.exe

Date

  • Created: Aug. 30, 2024, 8:16 a.m.
  • Published: Aug. 30, 2024, 8:16 a.m.
  • Modified: Aug. 30, 2024, 8:37 a.m.

Indicators

  • 94.131.108.78
  • http://94.131.108.78:7118/B/hi/
  • http://94.131.108.78:7118/B/desktop/
  • portal.sharjahconnect.online
  • tdyfbwxngpmixjiqtjjote3k9qwc31dsx.oast.fun
Download all indicators here!

Attack Patterns

  • GlobalProtect.exe

Additional Informations

  • United Arab Emirates

Linked vulnerabilities

CVE-2023-22527

None
Published: