This malware pretends to be a real VPN service to lure in victims

Laptop with warning symbols over the keyboard

(Image credit: Shutterstock)

Jump to:

Hackers have been found impersonating legitimate, enterprise-grade VPN tools in an attempt to compromise large organizations, deploy additional malware, and possibly exfiltrate sensitive information.

A new report from cybersecurity researchers at Trend Micro spotted a fake Palo Alto GlobalProtect program being distributed online.

Palo Alto GlobalProtect is a security solution that provides secure remote access to an organization's network. It is designed to ensure that users, whether they are working remotely or on-site, can securely access company resources while maintaining a high level of security. Its key features include a VPN, endpoint security, and threat prevention.

Flying under the radar

Trend Micro isn’t certain how the enterprises ended up downloading and installing the wrong application. They suspect it is being distributed via phishing, but it is also likely that there is some SEO poisoning going on, and that employees are being contacted via instant messaging, too.

In any case, when the users run the ‘GlobalProtect.exe’ file, they get a window that looks like a normal installation, in order not to raise any suspicion. However, in the background, the malware is being loaded, too. It first analyzes the target endpoint to see if it’s running in a sandbox, and if that’s not the case, it runs its primary code.

After that, it profiles the device, and sends the information back to its C2 server, encrypted.

Trend Micro says this malware goes the extra mile to fly under the radar. For example, the C2 address is newly registered, and contains “sharjahconnect” strong, to make it appear as if it’s coming from Palo Alto’s offices in Sharjah, United Arab Emirates.

Furthermore, the malware communicates with the C2 via periodically sent beacons through Interactsh, an open-source tool commonly used by pentesters.

Analyzing the malware, the researchers said it is capable of executing PowerShell scripts, downloading and uploading files, and more.

Via BleepingComputer

More from TechRadar Pro

Beware — that new VPN you've found could be infected with malware
Here's a list of the best firewall software around today
These are the best endpoint security tools right now

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.