This malware pretends to be a real VPN service to lure in victims
Criminals are impersonating Palo Alto solutions to drop malware
Hackers have been found impersonating legitimate, enterprise-grade VPN tools in an attempt to compromise large organizations, deploy additional malware, and possibly exfiltrate sensitive information.
A new report from cybersecurity researchers at Trend Micro spotted a fake Palo Alto GlobalProtect program being distributed online.
Palo Alto GlobalProtect is a security solution that provides secure remote access to an organization's network. It is designed to ensure that users, whether they are working remotely or on-site, can securely access company resources while maintaining a high level of security. Its key features include a VPN, endpoint security, and threat prevention.
Flying under the radar
Trend Micro isn’t certain how the enterprises ended up downloading and installing the wrong application. They suspect it is being distributed via phishing, but it is also likely that there is some SEO poisoning going on, and that employees are being contacted via instant messaging, too.
In any case, when the users run the ‘GlobalProtect.exe’ file, they get a window that looks like a normal installation, in order not to raise any suspicion. However, in the background, the malware is being loaded, too. It first analyzes the target endpoint to see if it’s running in a sandbox, and if that’s not the case, it runs its primary code.
After that, it profiles the device, and sends the information back to its C2 server, encrypted.
Trend Micro says this malware goes the extra mile to fly under the radar. For example, the C2 address is newly registered, and contains “sharjahconnect” strong, to make it appear as if it’s coming from Palo Alto’s offices in Sharjah, United Arab Emirates.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Furthermore, the malware communicates with the C2 via periodically sent beacons through Interactsh, an open-source tool commonly used by pentesters.
Analyzing the malware, the researchers said it is capable of executing PowerShell scripts, downloading and uploading files, and more.
Via BleepingComputer
More from TechRadar Pro
- Beware — that new VPN you've found could be infected with malware
- Here's a list of the best firewall software around today
- These are the best endpoint security tools right now
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.