Hackers Implant Backdoor via Fake Palo Alto GlobalProtect Lure

Security experts have issued a warning to enterprise users regarding a new malware campaign targeting organizations based in the Middle East. The campaign involves the installation of a backdoor on victim machines by tricking users into downloading the malware through fake Palo Alto GlobalProtect installers.

Fake Palo Alto GlobalProtect Installers Installing Backdoor Malware

Trend Micro security researchers have uncovered a malicious campaign aimed at infecting organizations with backdoor malware. The attackers achieve this by deceiving users into running fake Palo Alto GlobalProtect installers.

The attack commences once the fake installers are executed on the target system. While the exact method used by threat actors to entice victims into downloading the malware is not clear, researchers speculate that phishing emails could be one possible vector of attack.

Once installed, the malicious software discreetly plants backdoor malware on the device, presenting a fake installation window on the screen to deceive unsuspecting users.

The malware, coded in C#, possesses malicious functionalities such as remote PowerShell command execution, extracting system files, and launching additional payloads on the target system. This poses a significant risk to the affected organization’s operations.

Upon successful execution on the target machine, the malware scans for sandbox environments before executing the primary payload. Once the coast is clear, it starts extracting system information and transmitting it to the C&C server using AES encryption.

In addition, the malware leverages the open-source tool “Interactsh” for periodic beaconing post-infection.

The C&C of the malware utilizes a newly registered URL containing the “sharjahconnect” string, resembling a VPN portal. The inclusion of “Sharjah” suggests that the threat actors are specifically targeting organizations in the Middle East.

For a detailed technical analysis of this campaign, researchers have provided further information in their post.

Best Security Practices for Organizations

With the evolving cybersecurity landscape, it is crucial for enterprises, including small businesses, to implement security best practices. Trend Micro strongly recommends this for all organizations.

Given that the success of such attacks relies heavily on exploiting human vulnerabilities, organizations are advised to conduct regular employee awareness and training programs.

Furthermore, organizations should adhere to the “principle of least privilege,” restrict unnecessary access to sensitive data/devices, deploy email and web security solutions, and have a well-defined incident response plan in place to address potential threats.

We welcome your thoughts and insights in the comments section.