Threat Actors Target the Middle East Using Fake Palo Alto GlobalProtect Tool
Aug. 30, 2024, 8:37 a.m.
Tags
External References
Description
Cybercriminals are employing a sophisticated two-stage malware campaign masquerading as the Palo Alto GlobalProtect tool to infiltrate systems in the Middle East region. The malware leverages a complex command-and-control infrastructure, involving newly registered domains designed to resemble legitimate VPN portals. It utilizes the Interactsh project for beaconing and maintains stealth through encryption and sandbox evasion techniques, enabling remote code execution, payload deployment, and data exfiltration on compromised hosts.
Date
Published: Aug. 30, 2024, 8:16 a.m.
Created: Aug. 30, 2024, 8:16 a.m.
Modified: Aug. 30, 2024, 8:37 a.m.
Indicators
94.131.108.78
http://94.131.108.78:7118/B/hi/
http://94.131.108.78:7118/B/desktop/
portal.sharjahconnect.online
tdyfbwxngpmixjiqtjjote3k9qwc31dsx.oast.fun
Attack Patterns
GlobalProtect.exe
T1608
T1105
T1071
T1027
T1059
CVE-2023-22527
Additional Informations
United Arab Emirates