Threat actors target Middle East users by distributing malware disguised as a legitimate Palo Alto GlobalProtect tool. After the installation, the malware exfiltrates sensitive data such as the IP address, system information, user names, and the machine’s sleep time sequence.
The malware employs a two-stage infection process and uses a newly registered URL masquerading as a VPN company for its command and control (C2) server. The newly registered domain allows attackers to bypass blacklists and causes complications in attribution.
Researchers have also found that the malware, written in C#, utilises Interactsh to establish communication with the C2 server. Interactsh is a tool penetration testers employ to test and review their exploits. However, threat actors like APT28 and others have repurposed this tool to monitor the advancement of victims’ devices as they move through different stages of the infection.
The malware is quite sophisticated, allowing attackers to execute remote PowerShell commands, download and execute additional payloads, and exfiltrate files from the victim’s machines.
“These functions highlight the malware’s potential to cause significant damage and disruption within targeted organisations,” explained researchers.
Researchers are still unsure about the exact delivery method of the malware. However, the infection chain begins when the victim downloads the malicious software, mistakenly believing it to be legitimate GlobalProtect software. After the download, a file named setup.exe deploys GlobalProtect.exe, a primary component of the malware. Along with this major file, two configuration files — RTime.conf and ApProcessld.conf — are also downloaded in the Palo Alto folder in the C drive.
Once the GlobalProtect.exe file is executed, the communication with the C2 server starts notifying threat actors of when each stage of the malware is executed.
Researchers found that before executing the main code, the malware first checks the file path and specific files to bypass the sandbox and behaviour analysis.
After the initial infection process, the malware exfiltrates the victim’s IP address, operating system information, and other sensitive information like the machine name, username, and sleep time sequence. Furthermore, the system’s encryption data is also collected via the ApProcessld.conf file. The malware also utilises the DesktoProcessld to identify specific parts of the URL for sharing with the C2 server.
Researchers also discovered that the malware uses the AES encryption algorithm for maintaining persistence in the systems. One of the two strings used for this purpose is used for encryption and the other for the key. After encrypting, the code returns the encrypted string in Base64 format.
The attackers are also able to control various functions of the malware to ensure more successful exploitation. For example, they can adjust the malware’s sleep time, execute a PowerShell script and alert the threat actor when it’s done, download a file from a URL, upload a file from the C2 server, and report any errors that occur during the execution process.
Researchers urge organisations to conduct regular training sessions, deploy the principle of least privilege, installing email and web security solutions, and have an incident response plan in place for emergencies.
“It’s likely that the threat actor made use of social engineering to lure victims into downloading fake tools and services. Given the widespread use of social engineering in cybercrime, defending against it should be a priority for both organisations and individual users,” researchers concluded.
In the News: Employee locks Windows admins out of 254 servers; arrested for extortion