Novel Malicious Software Poses as Palo Alto VPN Targeting Users in the Middle East

AndyC 31 August 2024

August 30, 2024Ravie LakshmananMalware / Network Security

Cybersecurity experts revealed a recent operation likely aimed at individuals in the Middle East using malicious software disguised as the Palo Alto Networks GlobalProtect virtual private

New Malware Masquerades as Palo Alto VPN Targeting Middle East Users

August 30, 2024Ravie LakshmananMalware / Network Security

Cybersecurity experts revealed a recent operation likely aimed at individuals in the Middle East using malicious software disguised as the Palo Alto Networks GlobalProtect virtual private network (VPN) application.

“The malicious software has the capability to perform remote PowerShell commands, retrieve and move files, encode communications, and circumvent sandbox solutions, posing a major risk to specific organizations,” Trend Micro investigator Mohamed Fahmy stated in a detailed analysis.

The sophisticated harmful program example has been seen following a dual-stage process, which includes creating links to command-and-control (C2) infrastructure that claims to be a corporate VPN gateway, enabling the malicious actors to function without setting off any alerts.

Cybersecurity

The original method of entry for the operation is presently undisclosed, though it is suspected to involve the utilization of deceptive methods such as phishing to mislead users into believing they are installing the GlobalProtect agent. The source of the activity has not been linked to a particular threat actor or collective.

The initial deployment involves a setup.exe binary that installs the primary undercover element called GlobalProtect.exe, which, upon installation, commences a signaling process that informs the operators of the status.

The primary executable is also responsible for placing two additional setup files (RTime.conf and ApProcessId.conf) that are used to transfer system data to a C2 server (94.131.108[.]78), including the target’s IP address, OS data, username, device name, and timing sequences for idle periods.

“The malware leverages an evasion maneuver to resist behavior analysis and sandbox solutions by examining the process file path and the specific file before triggering the primary code block,” Fahmy remarked.

The covert channel facilitates the uploading of files, fetching subsequent-level payloads, and executing PowerShell directives. The communication with the C2 server is facilitated by means of the Interactsh freely accessible initiative.

Cybersecurity

“The malicious software transitions to a recently registered URL, ‘sharjahconnect’ (likely connected to the U.A.E. emirate Sharjah), designed to resemble an authentic VPN gateway for a U.A.E.-based company,” Fahmy disclosed.

“This strategy aims to integrate the malicious activities of the malware with expected regional network traffic to improve its camouflage capabilities.”

Stumbled upon this article intriguing? Stay tuned with us on Twitter and LinkedIn for more exclusive content updates.

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts

Tags: , , , , , , , , ,

More Stories

Cracked Software and YouTube Videos Spread CountLoader and GachiLoader Malware

Cracked Software and YouTube Videos Spread CountLoader and GachiLoader Malware

AndyC 20 December 2025
WatchGuard Warns of Active Exploitation of Critical Fireware OS VPN Vulnerability

WatchGuard Warns of Active Exploitation of Critical Fireware OS VPN Vulnerability

AndyC 20 December 2025
Nigeria Arrests RaccoonO365 Phishing Developer Linked to Microsoft 365 Attacks

Nigeria Arrests RaccoonO365 Phishing Developer Linked to Microsoft 365 Attacks

AndyC 20 December 2025
New UEFI Flaw Enables Early-Boot DMA Attacks on ASRock, ASUS, GIGABYTE, MSI Motherboards

New UEFI Flaw Enables Early-Boot DMA Attacks on ASRock, ASUS, GIGABYTE, MSI Motherboards

AndyC 20 December 2025
China-Aligned Threat Group Uses Windows Group Policy to Deploy Espionage Malware

China-Aligned Threat Group Uses Windows Group Policy to Deploy Espionage Malware

AndyC 19 December 2025
HPE OneView Flaw Rated CVSS 10.0 Allows Unauthenticated Remote Code Execution

HPE OneView Flaw Rated CVSS 10.0 Allows Unauthenticated Remote Code Execution

AndyC 19 December 2025

You may have missed

Amazon Warns Perncious Fake North Korea IT Worker Threat Has Become Widespread

Randall Munroe’s XKCD ‘Fifteen Years’

AndyC 20 December 2025
Why AppSec Can’t Keep Up With AI-Generated Code

Google Shutting Down Dark Web Report Met with Mixed Reactions

AndyC 20 December 2025
Cracked Software and YouTube Videos Spread CountLoader and GachiLoader Malware

Cracked Software and YouTube Videos Spread CountLoader and GachiLoader Malware

AndyC 20 December 2025
Containing the Inevitable: What Cyber Leaders Must Prepare for in 2026

Containing the Inevitable: What Cyber Leaders Must Prepare for in 2026

AndyC 20 December 2025
Containing the Inevitable: What Cyber Leaders Must Prepare for in 2026

Containing the Inevitable: What Cyber Leaders Must Prepare for in 2026

AndyC 20 December 2025

Subscribe To InfoSec Today News

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

World Wide Crypto will use the information you provide on this form to be in touch with you and to provide updates and marketing.