This malware poses as a genuine VPN service to lure victims
There are hackers posing as legitimate corporate VPN tools, attempting to hack large organizations, install additional malware, and potentially steal sensitive information.
A new report from cybersecurity researchers at Trend Micro has revealed that a fake Palo Alto GlobalProtect program is being distributed online.
Palo Alto GlobalProtect is a security solution that provides secure remote access to an organization’s network. It is designed to ensure that users, whether remote or on-site, can securely access corporate resources while maintaining a high level of security. Key features include VPN, endpoint protection, and threat prevention.
Flying under the radar
Trend Micro is not sure how the companies downloaded and installed the wrong application. They suspect it is being spread via phishing, but it is also likely that there is SEO poisoning and that employees are also being targeted via instant messaging.
Either way, when users execute the file ‘GlobalProtect.exe’, they get a window that looks like a normal installation, so as not to raise suspicions. However, in the background, the malware is also loaded. First, it analyzes the target endpoint to see if it is running in a sandbox, and if not, it executes its primary code.
The device is then profiled and the information is sent encrypted back to the C2 server.
Trend Micro says this malware goes a step further to fly under the radar. For example, the C2 address is newly registered and includes “sharjahconnect” strong, to make it appear as if it came from Palo Alto’s offices in Sharjah, United Arab Emirates.
Additionally, the malware communicates with the C2 via periodically sent beacons through Interactsh, an open-source tool widely used by penetration testers.
After analyzing the malware, researchers reported that it can execute PowerShell scripts, download and upload files, and more.
Via BleepingComputer