IT security company Trend Micro has uncovered a malware campaign targeting users in the Middle East, involving malware disguised as the Palo Alto GlobalProtect tool. The malware uses a two-stage infection process and advanced command-and-control (C&C) infrastructure to infiltrate networks and create a backdoor that allows communication with the threat actors.
Trend Micro’s research indicates that the malware is distributed through a deceptive setup.exe file. This file initiates a beaconing process using the Interactsh project, a tool primarily used by penetration testers. The malware communicates with specific hostnames within the Interactsh’s oast[.]fun domain to report the progress of the infection and gather information on the compromised system.
It is capable of executing remote PowerShell commands, downloading and exfiltrating files, encrypting communications, and bypassing sandbox solutions, making it a significant threat to the targeted organisations.
Palo Alto spoofing
The malware’s design includes a sophisticated C&C infrastructure, which pivots to a newly registered URL, “sharjahconnect.” This URL is made to resemble a legitimate VPN portal, particularly one that would be expected for a company in Sharjah, a region in the United Arab Emirates. This guise helps the malware to blend in with normal network traffic, increasing its chances of evading detection. The malware uses these connections to monitor targets as they move through different stages of the infection.
Developed in C#, the malware’s capabilities extend beyond simple data theft. It can execute remote commands, deliver additional payloads, and exfiltrate sensitive files, effectively serving as a backdoor that allows attackers to maintain deep and persistent access to the infected systems. The malware’s ability to disguise its activities makes it particularly dangerous, as it can remain undetected for extended periods.
Trend Micro has not yet identified the precise method of malware delivery, but it is suspected to involve phishing attacks. Victims are tricked into downloading what appears to be a legitimate version of the GlobalProtect agent.
Once downloaded, the file named setup.exe acts as the initial infection vector. This executable then deploys another file, GlobalProtect.exe, along with configuration files like RTime.conf and ApProcessId.conf, which are stored in a directory mimicking the location of legitimate program files.
Upon execution, the malware begins its beaconing mechanism to notify the attackers of each stage’s successful completion, solidifying its role as a backdoor into the compromised network. It communicates with specific hostnames to update the attackers on its progress. The malware checks the process file path and other specific files to evade sandbox analysis and behavioural detection methods, enhancing its ability to remain hidden.
The malware gathers vital machine information from the compromised system, including IP addresses, operating system details, usernames, and other identifiers. The data retrieved is then used to encrypt communications with the C&C server, ensuring that the attackers’ activities remain concealed from standard monitoring tools.
Trend Micro’s analysis reveals that the malware employs the AES encryption algorithm to secure its communications. It uses a unique encryption key for each victim, which is derived from specific system parameters stored in configuration files. This approach ensures that even if the traffic is intercepted, it would be challenging to decrypt without access to the unique key.
Companies warned to strengthen defences
To further evade detection, the malware uses the Interactsh project to send out DNS requests as a form of beaconing. Each stage of the malware’s infection process is associated with a specific DNS request format, which allows the attackers to track the progress of the malware on compromised systems. This method also helps avoid traditional detection mechanisms that focus on more conventional forms of network communication.
Trend Micro advises organisations to strengthen defences against social engineering, a key tactic in the malware campaign. This includes training employees to recognise phishing attempts and adopting the principle of least privilege to limit access to critical data.
The IT security company also recommends robust email and web security measures to block malicious content and having a clear incident response plan to swiftly manage breaches.
In June, BlackBerry released a report indicating a 40% increase in new malware used in cyberattacks during Q1 2024 compared to the previous quarter, marking a fivefold rise from the same period last year. The report revealed that 60% of these attacks targeted critical infrastructure, making it the primary focus for breaches.
Among these sectors, the financial sector faced the most attacks, accounting for 40% of breaches on critical infrastructure, followed by healthcare at 24%, utilities at 18%, and government at 14%.
Written by Swagath Bandhakavi
Read more: Just how high can Nvidia fly?
