Threat actors are distributing sophisticated malware disguised as the Palo Alto GlobalProtect tool to target users in the Middle East. The malware uses a two-stage infection process, an advanced C2 infrastructure with a pivot to a newly registered domain, Interactsh beaconing, and PowerShell-based capabilities that can exfiltrate files while evading sandbox detection. #GLOBALSHADOW #Sharjahconnect
Keypoints
- Targeted users in the Middle East are exposed to malware masquerading as Palo Alto GlobalProtect tooling.
- The infection chain uses a two-stage process initiated by a setup.exe file.
- Command-and-control infrastructure pivots to a newly registered domain (sharjahconnect) to blend with regional traffic.
- Interactsh is used for beaconing to report infection progress and victim information.
- Malware is written in C# and can execute remote PowerShell commands, download/exfiltrate payloads, and encrypt traffic.
- Sandbox evasion techniques are employed to bypass analysis and detection; phishing is a possible delivery method.
- Recommendations emphasize user training, least privilege, and robust email/web security.
MITRE Techniques
- [T1071.001] Application Layer Protocol: DNS β C2 communications over DNS to report infection progress. βUses DNS for communication with the C&C server.β
- [T1059.001] PowerShell β Executes PowerShell commands remotely. βExecutes PowerShell commands remotely.β
- [T1041] Exfiltration β Exfiltrates files from the infected machine. βExfiltrates files from the infected machine.β
- [T1562.001] Defense Evasion β Evades sandbox detection by checking the process file path and the specific file before executing the main code block. βThe malware implements an evasion technique to bypass behavior analysis and sandbox solutions by checking the process file path and the specific file before executing the main code block.β
Indicators of Compromise
- [Domain] step1-dsktoProcessId.tdyfbwxngpmixjiqtjjote3k9qwc31dsx.oast.fun, step6-dsktoProcessId.tdyfbwxngpmixjiqtjjote3k9qwc31dsx.oast.fun β DNS beacon domains used by Interactsh-based C2
- [Domain] sharjahconnect β Newly registered domain used as a VPN-portal-like C2 URL
- [Domain] oast.fun β Domain component of beaconing hostnames
- [IP] 94.131.108.78 β C2 server IP referenced in command table
- [File name] setup.exe, GlobalProtect.exe β Droppers / main payload and components
- [File name] RTime.conf, ApProcessId.conf β Configuration files used by the malware
Read more: https://www.trendmicro.com/en_us/research/24/h/threat-actors-target-middle-east-using-fake-tool.html