Cyber security researchers have uncovered a new campaign that is potentially targeting users in the Middle East with malware masquerading as Palo Alto Networks GlobalProtect a virtual private network (VPN) tool.
“The malware can execute remote PowerShell commands, download and expose files, encrypt communications, and bypass sandboxes, posing a significant threat to targeted organizations,” Trend Micro researcher Mohamed Fahmy. said in the technical report.
The sophisticated malware sample was seen using a two-step process and involves establishing connections to a Command and Control (C2) infrastructure that pretends to be the company’s VPN portal, allowing threat actors to operate freely without triggering an alarm.
The initial penetration vector for the campaign is currently unknown, although it is suspected to involve the use of phishing techniques to trick users into thinking they are installing the GlobalProtect agent. The activity has not been attributed to a specific threat actor or group.
The starting point is the setup.exe binary, which deploys a core backdoor component called GlobalProtect.exe, which upon installation initiates a beacon process that alerts operators of progress.
The first stage executable is also responsible for removing two additional configuration files (RTime.conf and ApProcessId.conf) used to leak system information to server C2 (94.131.108(.)78), including the victim’s IP address, operating room information system, username, machine name and sleep time.
“The malware implements an evasion technique to bypass behavioral analysis and sandbox solutions by checking the process file path and specific file before executing the main block of code,” Fahmy noted.
The backdoor serves as a conduit for downloading files, loading next-stage payloads, and executing PowerShell commands. The link to the C2 server is made using They interact an open source project.
“The malware navigates to the newly registered URL ‘sharjahconnect’ (likely referring to the UAE emirate of Sharjah), designed to look like a legitimate VPN portal for a company based in the UAE,” Fahmy said.
“This tactic is designed to allow malware to blend in with expected regional network traffic and improve its evasion characteristics.”
