www.trendmicro.com
Open in
urlscan Pro
104.75.88.135
Public Scan
URL:
https://www.trendmicro.com/en_us/research/24/h/threat-actors-target-middle-east-using-fake-tool.html
Submission: On September 05 via api from DE — Scanned from DE
Submission: On September 05 via api from DE — Scanned from DE
Form analysis 1 forms found in the DOM
<form class="main-menu-search" aria-label="Search Trend Micro">
<div class="main-menu-search__field-wrapper" id="cludo-search-form">
<table class="gsc-search-box">
<tbody>
<tr>
<td class="gsc-input">
<input type="text" class="gsc-input-field" name="search" title="search" placeholder="Search" autocomplete="off" aria-label="search">
</td>
</tr>
</tbody>
</table>
</div>
</form>Text Content
Business
search close
* Solutions
* By Challenge
* By Challenge
* By Challenge
Learn more
* Understand, Prioritize & Mitigate Risks
* Understand, Prioritize & Mitigate Risks
Improve your risk posture with attack surface management
Learn more
* Protect Cloud-Native Apps
* Protect Cloud-Native Apps
Security that enables business outcomes
Learn more
* Protect Your Hybrid World
* Protect Your Hybrid, Multi-Cloud World
Gain visibility and meet business needs with security
Learn more
* Securing Your Borderless Workforce
* Securing Your Borderless Workforce
Connect with confidence from anywhere, on any device
Learn more
* Eliminate Network Blind Spots
* Eliminate Network Blind Spots
Secure users and key operations throughout your environment
Learn more
* See More. Respond Faster.
* See More. Respond Faster.
Move faster than your adversaries with powerful purpose-built XDR,
attack surface risk management, and zero trust capabilities
Learn more
* Extend Your Team
* Extend Your Team. Respond to Threats Agilely
Maximize effectiveness with proactive risk reduction and managed
services
Learn more
* Operationalizing Zero Trust
* Operationalizing Zero Trust
Understand your attack surface, assess your risk in real time, and
adjust policies across network, workloads, and devices from a single
console
Learn more
* By Role
* By Role
* By Role
Learn more
* CISO
* CISO
Drive business value with measurable cybersecurity outcomes
Learn more
* SOC Manager
* SOC Manager
See more, act faster
Learn more
* Infrastructure Manager
* Infrastructure Manager
Evolve your security to mitigate threats quickly and effectively
Learn more
* Cloud Builder and Developer
* Cloud Builder and Developer
Ensure code runs only as intended
Learn more
* Cloud Security Ops
* Cloud Security Ops
Gain visibility and control with security designed for cloud
environments
Learn more
* By Industry
* By Industry
* By Industry
Learn more
* Healthcare
* Healthcare
Protect patient data, devices, and networks while meeting regulations
Learn more
* Manufacturing
* Manufacturing
Protecting your factory environments – from traditional devices to
state-of-the-art infrastructures
Learn more
* Oil & Gas
* Oil & Gas
ICS/OT Security for the oil and gas utility industry
Learn more
* Electric Utility
* Electric Utility
ICS/OT Security for the electric utility
Learn more
* Federal
* Federal
Learn more
* Automotive
* Automotive
Learn more
* 5G Networks
* 5G Networks
Learn more
* Small & Midsized Business Security
* Small & Midsized Business Security
Stop threats with comprehensive, set-it-and-forget-it protection
Learn more
* Platform
* Vision One Platform
* Vision One Platform
* Trend Vision One
Our Unified Platform
Bridge threat protection and cyber risk management
Learn more
* AI Companion
* Trend Vision One Companion
Your generative AI cybersecurity assistant
Learn more
* Attack Surface Management
* Attack Surface Management
Stop breaches before they happen
Learn more
* XDR (Extended Detection & Response)
* XDR (Extended Detection & Response)
Stop adversaries faster with a broader perspective and better context to
hunt, detect, investigate, and respond to threats from a single platform
Learn more
* Cloud Security
* Cloud Security
* Trend Vision One™
Cloud Security Overview
The most trusted cloud security platform for developers, security
teams, and businesses
Learn more
* Attack Surface Risk Management for Cloud
* Attack Surface Risk Management for Cloud
Cloud asset discovery, vulnerability prioritization, Cloud Security
Posture Management, and Attack Surface Management all in one
Learn more
* XDR for Cloud
* XDR for Cloud
Extend visibility to the cloud and streamline SOC investigations
Learn more
* Workload Security
* Workload Security
Secure your data center, cloud, and containers without compromising
performance by leveraging a cloud security platform with CNAPP
capabilities
Learn more
* Container Security
* Container Security
Simplify security for your cloud-native applications with advanced
container image scanning, policy-based admission control, and container
runtime protection
Learn more
* File Security
* File Security
Protect application workflow and cloud storage against advanced threats
Learn more
* Endpoint Security
* Endpoint Security
* Endpoint Security Overview
Defend the endpoint through every stage of an attack
Learn more
* XDR for Endpoint
* XDR for Endpoint
Stop adversaries faster with a broader perspective and better context
to hunt, detect, investigate, and respond to threats from a single
platform
Learn more
* Workload Security
* Workload Security
Optimized prevention, detection, and response for endpoints, servers,
and cloud workloads
Learn more
* Industrial Endpoint Security
* Industrial Endpoint Security
Learn more
* Mobile Security
* Mobile Security
On-premises and cloud protection against malware, malicious
applications, and other mobile threats
Learn more
* Network Security
* Network Security
* Network Security Overview
Expand the power of XDR with network detection and response
Learn more
* XDR for Network
* XDR for Network
Stop adversaries faster with a broader perspective and better context
to hunt, detect, investigate, and respond to threats from a single
platform
Learn more
* Network Intrusion Prevention (IPS)
* Network Intrusion Prevention (IPS)
Protect against known, unknown, and undisclosed vulnerabilities in your
network
Learn more
* Breach Detection System (BDS)
* Breach Detection System (BDS)
Detect and respond to targeted attacks moving inbound, outbound, and
laterally
Learn more
* Secure Service Edge (SSE)
* Secure Service Edge (SSE)
Redefine trust and secure digital transformation with continuous risk
assessments
Learn more
* Industrial Network Security
* Industrial Network Security
Learn more
* 5G Network Security
* 5G Network Security
Learn more
* Email Security
* Email Security
* Email Security
Stop phishing, malware, ransomware, fraud, and targeted attacks from
infiltrating your enterprise
Learn more
* Email and Collaboration Security
* Trend Vision One™
Email and Collaboration Security
Stop phishing, ransomware, and targeted attacks on any email service
including Microsoft 365 and Google Workspace
Learn more
* OT Security
* OT Security
* OT Security
Learn about solutions for ICS / OT security.
Learn more
* XDR for OT
* XDR for OT
Stop adversaries faster with a broader perspective and better context
to hunt, detect, investigate, and respond to threats from a single
platform
Learn more
* Industrial Network Security
* Industrial Network Security
Industrial Network Security
* Industrial Endpoint Security
* Industrial Endpoint Security
Learn more
* Threat Insights
* Threat Insights
See threats coming from miles away
Learn more
* Identity Security
* Identity Security
End-to-end identity security from identity posture management to
detection and response
Learn more
* On-Premises Data Sovereignty
* On-Premises Data Sovereignty
Prevent, detect, respond and protect without compromising data
sovereignty
Learn more
* All Products, Services, and Trials
* All Products, Services, and Trials
Learn more
* Research
* Research
* Research
* Research
Learn more
* Research, News, and Perspectives
* Research, News, and Perspectives
Learn more
* Research and Analysis
* Research and Analysis
Learn more
* Security News
* Security News
Learn more
* Zero Day Initiatives (ZDI)
* Zero Day Initiatives (ZDI)
Learn more
* Services
* Our Services
* Our Services
* Our Services
Learn more
* Service Packages
* Service Packages
Augment security teams with 24/7/365 managed detection, response, and
support
Learn more
* Managed XDR
* Managed XDR
Augment threat detection with expertly managed detection and response
(MDR) for email, endpoints, servers, cloud workloads, and networks
Learn more
* Incident Response
* Incident Response
* Incident Response
Our trusted experts are on call whether you're experiencing a breach
or looking to proactively improve your IR plans
Learn more
* Insurance Carriers and Law Firms
* Insurance Carriers and Law Firms
Stop breaches with the best response and detection technology on the
market and reduce clients’ downtime and claim costs
Learn more
* Support Services
* Support Services
Learn more
* Partners
* Partner Program
* Partner Program
* Partner Program Overview
Grow your business and protect your customers with the best-in-class
complete, multilayered security
Learn more
* Managed Security Service Provider
* Managed Security Service Provider
Deliver modern security operations services with our industry-leading
XDR
Learn more
* Managed Service Provider
* Managed Service Provider
Partner with a leading expert in cybersecurity, leverage proven
solutions designed for MSPs
Learn more
* Cloud Service Provider
* Cloud Service Provider
Add market-leading security to your cloud service offerings – no matter
which platform you use
Learn more
* Professional Services
* Professional Services
Increase revenue with industry-leading security
Learn more
* Resellers
* Resellers
Discover the possibilities
Learn more
* Marketplace
* Marketplace
Learn more
* System Integrators
* System Integrators
Learn more
* Alliance Partners
* Alliance Partners
* Alliance Overview
We work with the best to help you optimize performance and value
Learn more
* Technology Alliance Partners
* Technology Alliance Partners
Learn more
* Our Alliance Partners
* Our Alliance Partners
Learn more
* Partner Tools
* Partner Tools
* Partner Tools
Learn more
* Partner Login
* Partner Login
Login
* Education and Certification
* Education and Certification
Learn more
* Partner Successes
* Partner Successes
Learn more
* Distributors
* Distributors
Learn more
* Find a Partner
* Find a Partner
Learn more
* Company
* Why Trend Micro
* Why Trend Micro
* Why Trend Micro
Learn more
* Customer Success Stories
* Customer Success Stories
Learn more
* The Human Connection
* The Human Connection
Learn more
* Industry Accolades
* Industry Accolades
Learn more
* Strategic Alliances
* Strategic Alliances
Learn more
* Compare Trend Micro
* Compare Trend Micro
* Compare Trend Micro
See how Trend outperforms the competition
Let's go
* vs. Crowdstrike
* Trend Micro vs. Crowdstrike
Crowdstrike provides effective cybersecurity through its cloud-native
platform, but its pricing may stretch budgets, especially for
organizations seeking cost-effective scalability through a true single
platform
Let's go
* vs. Microsoft
* Trend Micro vs. Microsoft
Microsoft offers a foundational layer of protection, yet it often
requires supplemental solutions to fully address customers' security
problems
Let's go
* vs. Palo Alto Networks
* Trend Micro vs. Palo Alto Networks
Palo Alto Networks delivers advanced cybersecurity solutions, but
navigating its comprehensive suite can be complex and unlocking all
capabilities requires significant investment
Let's go
* About Us
* About Us
* About Us
Learn more
* Trust Center
* Trust Center
Learn more
* History
* History
Learn more
* Diversity, Equity and Inclusion
* Diversity, Equity and Inclusion
Learn more
* Corporate Social Responsibility
* Corporate Social Responsibility
Learn more
* Leadership
* Leadership
Learn more
* Security Experts
* Security Experts
Learn more
* Internet Safety and Cybersecurity Education
* Internet Safety and Cybersecurity Education
Learn more
* Legal
* Legal
Learn more
* Investors
* Investors
Learn more
* Formula E Racing
* Formula E Racing
Learn more
* Connect With Us
* Connect With Us
* Connect With Us
Learn more
* Newsroom
* Newsroom
Learn more
* Events
* Events
Learn more
* Careers
* Careers
Learn more
* Webinars
* Webinars
Learn more
Back
Back
Back
Back
* Free Trials
* Contact Us
Looking for home solutions?
Under Attack?
4 Alerts
Back
Unread
All
* Imagine with AI. Secure with Trend.
close
Get expert insight >
* Confidence in GenAI: The Zero Trust Approach
close
Read blog >
* Trend 2024 Midyear Cybersecurity Threat Report
close
Read findings >
* Pressing Pause on a Play Ransomware Attack with Managed Detection and
Response
close
Read more >
Folio (0)
Support
* Business Support Portal
* Education and Certification
* Contact Support
* Find a Support Partner
Resources
* AI Hub
* Trend Micro vs. Competition
* Cyber Risk Index/Assessment
* CISO Resource Center
* DevOps Resource Center
* What Is?
* Threat Encyclopedia
* Cloud Health Assessment
* Cyber Insurance
* Glossary of Terms
* Webinars
Log In
* Vision One
* Support
* Partner Portal
* Cloud One
* Product Activation and Management
* Referral Affiliate
Back
arrow_back
search
close
Content has been added to your Folio
Go to Folio (0) close
Malware
THREAT ACTORS TARGET THE MIDDLE EAST USING FAKE PALO ALTO GLOBALPROTECT TOOL
Threat actors are targeting users in the Middle East by distributing
sophisticated malware disguised as the Palo Alto GlobalProtect tool.
By: Mohamed Fahmy August 29, 2024 Read time: 5 min (1380 words)
Save to Folio
Subscribe
--------------------------------------------------------------------------------
SUMMARY AND INTRODUCTION
* Users in the Middle East are potentially being targeted by threat actors
through malware disguised as the Palo Alto GlobalProtect Tool.
* The malware uses a two-stage infection routine and advanced C&C
infrastructure.
* It infects victims via a setup.exe file while using the Interactsh project
for beaconing, communicating with specific hostnames to report infection
progress and gather victim information.
* The malware can execute remote PowerShell commands, download and exfiltrate
files, encrypt communications, and bypass sandbox solutions, representing a
significant threat to targeted organizations.
We came across a sophisticated malware sample employing a two-stage infection
process and seemingly originating from the Middle East, that masquerades as a
legitimate Palo Alto GlobalProtect tool.
One of the more notable aspects of this malware is its use of a
command-and-control (C&C) infrastructure that pivots to a newly registered URL
("sharjahconnect"; note that Sharjah is one of the emirates of the UAE) designed
to resemble a company VPN portal. This disguise not only aids in the initial
infiltration but also helps maintain persistent access to compromised networks.
Furthermore, the malware uses the Interactsh project (a tool primarily designed
for penetration testers to verify the success of their exploits) for beaconing
purposes. Using this tool, threat actors can trigger connections to hostnames
within Interactsh’s oast[.]fun domain. Note that other threat actors such as
APT28 have been observed exploiting this resource. In this case, the threat
actor behind the malware used these connections as a beaconing mechanism to
track which targets progress through various stages of the infection chain.
Written in C#, this malware boasts a range of capabilities, including the
ability to execute remote PowerShell commands, download and execute additional
payloads, and exfiltrate specific files from the infected machine. These
functions highlight the malware's potential to cause significant damage and
disruption within targeted organizations.
As we examine the technical specifics and the broader implications of this
threat, it is important for cybersecurity professionals to stay informed and
vigilant. Understanding the nuances of such sophisticated attacks is essential
for developing effective defense mechanisms and mitigating potential risks to
critical infrastructure and sensitive data.
INFECTION CHAIN
The exact delivery method of this malware remains unclear, but it is suspected
to have been part of a phishing attack that deceives victims into believing they
are installing a legitimate GlobalProtect agent.
Figure 1. Infection chain of an attack
download
The infection chain begins with a file named setup.exe, which is the initial
stage of the attack. This executable deploys GlobalProtect.exe, which is the
primary component of the malware, along with the configuration files RTime.conf
and ApProcessId.conf. These files are then placed in the directory
C:\\Users\(UserName)\AppData\Local\Programs\PaloAlto\.
Figure 2. Fake GlobalProtect setup process
download
Once executed, GlobalProtect.exe initiates a beaconing mechanism to notify the
threat actor of the successful completion of each phase of the infection
process. It communicates with hostnames such as
step[1-6]-[dsktoProcessId].tdyfbwxngpmixjiqtjjote3k9qwc31dsx.oast[.]fun to
report the routine’s progress, specifically during “step1-6” of the infection
chain.
BEHAVIOR AND COMMANDS
SANDBOX EVASION TECHNIQUE
The malware implements an evasion technique to bypass behavior analysis and
sandbox solutions by checking the process file path and the specific file before
executing the main code block.
Figure 3. Code snippet showing the malware evasion technique
download
RETRIEVING MACHINE INFORMATION
The malware retrieves the victim’s IP address, operating system information,
username, machine name, and sleep time sequence from the RTime.conf file. It
also gathers the DesktoProcessId and encryption key from ApProcessId.conf. The
key is used to encrypt the traffic sent to the C&C server , while the
DesktoProcessId is used to identify specific parts of the URL for beaconing.
Figure 4. Gathering information from the victim’s machine
download
MALWARE ENCRYPTION
Our analysis revealed that the malware uses string encryption via the AES
encryption algorithm. The following is an explanation of each part of the
encryption method:
* Input: Takes two strings, one to encrypt and another as the key.
* Process: Encrypts the input string using AES encryption with ECB mode.
* Output: Returns the encrypted string in Base64 format. If the encryption
fails, it returns the original string.
Figure 5. The malware encryption process
download
MALWARE COMMANDS
The malware uses four types of commands, which are explained in the following
table:
Command Details time to reset Commands the malware to sleep for a specific
amount of time. pw Execute a PowerShell script and return the result to the
server hxxp[:]//94.131.108.78[:]7118/B/hi/, after which the threat actor is
notified via DNS request if “step6” is successful. pr Processes a command string
and performs different actions based on the command type:
wtime: Reads or writes a wait time to a file.
create-process: Starts a process and returns its output.
dnld: Downloads a file from a URL to a local path.
upl: Uploads a file to a remote server.
Encryption is used for secure communication with the remote server. If the
command is unrecognized, it returns an "invalid program command" message. The
result is sent to the C&C server hxxp[:]//94.131.108.78[:]7118/B/hi/. invalid
command type In case an error occurs in any part of the execution, the malware
uses the command function to send the result via the string “invalid command
type”.
Table 1. The commands used by the malware
Figure 6. Code snippet showing the malware commands
download
USING THE INTERACTSH PROJECT FOR BEACONING PURPOSES
The malware leverages the Interactsh project for beaconing purposes. After each
phase of the malware infection, it sends a DNS request to the following domain:
Step[1-6]-{dsktoProcessId}.tdyfbwxngpmixjiqtjjote3k9qwc31dsx.oast.fun
Here, dsktoProcessId is a unique identifier for the machine, while Step[1-6]
varies from step 1 to step 6, corresponding to each phase of the malware's
operation, ranging from collecting machine information to successfully executing
commands received from the C&C server.
CONCLUSION
The malware sample we examined, which likely targets entities within the Middle
East, reveals a sophisticated use of C&C infrastructure and advanced evasion
techniques.
Our findings include the following:
1. Using dynamic C&C infrastructure: The malware pivots to a newly registered
URL, "sharjahconnect" (likely referring to the UAE emirate Sharjah),
designed to resemble a legitimate VPN portal for a company based in the UAE.
This tactic is designed to allow the malware’s malicious activities to blend
in with expected regional network traffic and enhance its evasion
characteristics.
2. Domain masquerading: By mimicking a familiar regional service, the attackers
exploit trust relationships, increasing the likelihood of successful C&C
communications.
3. Geopolitical targeting: The domain's regional specificity and the origin of
the submission suggest a targeted campaign against Middle Eastern entities,
possibly for geopolitical or economic espionage.
4. Using newly registered domains: Using fresh domains for C&C activities
allows attackers to bypass blacklists and makes attribution more
complicated.
RECOMMENDATIONS AND TREND SOLUTIONS
It’s likely that the threat actor made use of social engineering to lure victims
into downloading fake tools and services. Given the widespread use of social
engineering in cybercrime, defending against it should be a priority for both
organizations and individual users. This requires a multi-faceted approach that
combines education, policy, technology, and vigilance. Here are some
recommendations to help safeguard against social engineering:
User awareness and training: Conducting regular training sessions on the various
types of social engineering attacks, providing updates on new tactics and trends
in social engineering, and educating employees to recognize common red flags can
help prevent users from falling victim to social engineering lures.
Principle of least privilege: Granting employees access only to the data and
systems they need for their roles minimizes the chance of attackers gaining
access to vital information even during a successful breach.
Email and web security: Organizations should deploy robust email and web
security solutions to filter and block malicious and suspicious content.
Incident response plan: A well-defined incident response plan is crucial for
organizations to be able to handle social engineering attacks. This includes the
immediate steps to contain and mitigate the threat.
Organizations can also consider powerful security technologies such as Trend
Vision One™ , which offers multilayered protection and behavior detection,
helping block malicious tools and services before they can inflict damage on
user machines and systems.
VISION ONE QUERY
The following V1 Detection quary can be used to check the presence of the
GLOBALSHADOW binary:
malName:* GLOBALSHADOW* AND eventName:MALWARE_DETECTION
Indicators of Compromise (IOCs)The indicators of compromise for this entry can
be found here.
Tags
Malware | APT & Targeted Attacks | Endpoints | Research | Articles, News,
Reports | Cyber Threats
AUTHORS
* Mohamed Fahmy
Threat Researcher
Contact Us
Subscribe
RELATED ARTICLES
* Why NDR is Key to Cyber 'Pest Control'
* Earth Lusca Uses KTLVdoor Backdoor for Multiplatform Intrusion
* How AI Goes Rogue
See all articles
Experience our unified platform for free
* Claim your 30-day trial
*
*
*
*
*
RESOURCES
* Blog
* Newsroom
* Threat Reports
* DevOps Resource Center
* CISO Resource Center
* Find a Partner
SUPPORT
* Business Support Portal
* Contact Us
* Downloads
* Free Trials
*
*
ABOUT TREND
* About Us
* Careers
* Locations
* Upcoming Events
* Trust Center
*
Country Headquarters
Trend Micro - United States (US)
225 East John Carpenter Freeway
Suite 1500
Irving, Texas 75062
Phone: +1 (817) 569-8900
Select a country / region
United States expand_more
close
THE AMERICAS
* United States
* Brasil
* Canada
* México
MIDDLE EAST & AFRICA
* South Africa
* Middle East and North Africa
EUROPE
* België (Belgium)
* Česká Republika
* Danmark
* Deutschland, Österreich Schweiz
* España
* France
* Ireland
* Italia
* Nederland
* Norge (Norway)
* Polska (Poland)
* Suomi (Finland)
* Sverige (Sweden)
* Türkiye (Turkey)
* United Kingdom
ASIA & PACIFIC
* Australia
* Центральная Азия (Central Asia)
* Hong Kong (English)
* 香港 (中文) (Hong Kong)
* भारत गणराज्य (India)
* Indonesia
* 日本 (Japan)
* 대한민국 (South Korea)
* Malaysia
* Монголия (Mongolia) and рузия (Georgia)
* New Zealand
* Philippines
* Singapore
* 台灣 (Taiwan)
* ประเทศไทย (Thailand)
* Việt Nam
Privacy | Legal | Accessibility | Site map
Copyright ©2024 Trend Micro Incorporated. All rights reserved
Copyright ©2024 Trend Micro Incorporated. All rights reserved
sXpIBdPeKzI9PC2p0SWMpUSM2NSxWzPyXTMLlbXmYa0R20xk
This website uses cookies for website functionality, traffic analytics,
personalization, social media functionality and advertising. Our Cookie Notice
provides more information and explains how to amend your cookie settings.Learn
more
Cookies Settings Accept
✓
Danke für das Teilen!
AddToAny
Mehr…
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word
mmMwWLliI0fiflO&1
mmMwWLliI0fiflO&1
mmMwWLliI0fiflO&1
mmMwWLliI0fiflO&1
mmMwWLliI0fiflO&1
mmMwWLliI0fiflO&1
mmMwWLliI0fiflO&1
BDOW!