Hackers Implant Backdoor via Fake Palo Alto GlobalProtect Lure

Researchers warns enterprise users about a latest malware campaign targeting Middle East-based firms. The campaign implants backdoor on victim machines by luring the user into downloading the malware via fake Palo Alto GlobalProtect installers.

Fake Palo Alto GlobalProtect Installers Implant Backdoor

Security researchers from Trend Micro discovered a new malware campaign targeting organizations. Specifically, this malicious campaign aims at infecting target system with backdoor malware by tricking users into excuting fake Palo Alto GlobalProtect installers.

The attack begins once the fake installers reach the target machine. While it remains unclear how exactly the threat actors lure victims into downloading the malware, researchers suggest phishing emails as a possible attack vector.

Once downloaded, the malicious installer sneakily implants backdoor malware on the device, displaying a fake window on the screen depicting GlobalProtect installation to trick victim users.

The malware is written in C# and exhibits various malicious capabilities, including remote PowerShell command execution, exfiltrating system files, and executing additional payloads on the target system. Thus, it has the potential to disrupt a target organization’s operations.

Following successful execution on the target machine, the malware scans for possible sandbox environments before running the primary payload. Once cleared, it starts exfiltrating system information and sharing it with the C&C server using AES encryption.

Besides, the malware also exploits the open-source tool “Interactsh” for periodic beaconing after device infection.

The malware’s C&C uses a newly registered URL, including the “sharjahconnect” string, to resemble a VPN portal. This specific reference to “Sharjah” indicates that the threat actors behind this campaign particularly aim to target organizations in the Middle East.

The researchers have shared a detailed technical analysis of this campaign in their post.

Recommended Security Practices for Organizations

As the cybersecurity threat landscape evolves, it becomes inevitable for enterprises, including small businesses, to  to all organizations.

Specifically, since the success of this and similar attacks predominantly depends on exploiting the human element, the researchers advise organizations to conduct regular employee awareness and training sessions.

Moreover, organizations should also employ the “principle of least privilege” and limit unnecessary staff access to sensitive data/devices, deploy email and web security solutions, and implement a well-defined incident response plan to tackle potential threats.

Let us know your thoughts in the comments.

Related posts

Water Facilities Must Secure Exposed HMIs – Warns CISA

Microsoft December Patch Tuesday Arrived With 70+ Bug Fixes

NachoVPN Attack Risks Corporate VPN Clients