TLDR:
- New malware disguised as Palo Alto Networks GlobalProtect VPN targets users in the Middle East
- The malware can execute PowerShell commands, download files, encrypt communications, and bypass sandbox solutions
In a recent disclosure, cybersecurity researchers have identified a new malware campaign that is specifically targeting users in the Middle East by masquerading as the Palo Alto Networks GlobalProtect virtual private network (VPN) tool. The malware is described as highly sophisticated, capable of executing remote PowerShell commands, downloading and exfiltrating files, encrypting communications, and evading detection by sandbox solutions. The campaign operates through a two-stage process that involves setting up connections to a command-and-control (C2) infrastructure posing as a legitimate VPN portal. The initial intrusion vector is suspected to involve phishing techniques, but the specific method remains unknown. The malware is designed to blend in with regional network traffic and enhance its evasion characteristics, making it a serious threat to targeted organizations in the Middle East.
The primary backdoor component of the malware, called GlobalProtect.exe, is deployed through a setup.exe binary, initiating a beaconing process to alert operators of its progress. Additional configuration files are dropped to exfiltrate system information to a C2 server, including details like IP addresses, operating system information, and usernames. The malware is designed to bypass behavior analysis and sandbox solutions by checking specific parameters before executing its main code block. The backdoor enables the upload and download of files, as well as the execution of PowerShell commands. The campaign utilizes the Interactsh project for beaconing and registers URLs that mimic legitimate VPN portals to facilitate malicious activities.