Beware Of Fake Palo Alto Tool That Delivers Sophisticated Malware


A sophisticated malware targeting organizations in the Middle East is posing a significant threat. Disguised as a legitimate Palo Alto GlobalProtect tool, the malware uses a two-stage infection process and a sophisticated C&C infrastructure. 

It employs the Interactsh project for beaconing and communication, while leveraging its capabilities to execute remote PowerShell commands, download and exfiltrate files, and bypass sandbox solutions. 

EHA

The malware’s ability to maintain persistent access through a disguised VPN portal and its potential for significant damage make it a pressing cybersecurity concern.

Infection chain of an attack

The malware, likely delivered through a phishing attack, initiates with a setup.exe file, which deploys GlobalProtect.exe, the main malware component, and configuration files RTime.conf and ApProcessId.conf, which are installed in the C:\Users(UserName)AppDataLocalProgramsPaloAlto directory. 

GlobalProtect.exe then establishes a beaconing connection to a remote server, reporting the progress of the infection process in six steps by using hostnames like step[1-6]-[dsktoProcessId]tdyfbwxngpmixjiqtjjote3k9qwc31dsx.oast[.]fun.

It employs a sandbox evasion tactic that involves scrutinizing the process file path and the specific file before initiating the core code segment, which aims to circumvent behavior analysis and sandbox detection mechanisms. 

By examining the execution environment, the malware can effectively determine whether it’s operating within a controlled sandbox environment and adjust its behavior accordingly, thereby hindering its detection and analysis.

 Code snippet showing the malware evasion technique

It collects various system details from the victim’s machine by extracting the IP address, operating system information, username, machine name, and sleep time sequence from the RTime.conf file. 

Additionally, it retrieves the DesktoProcessId and encryption key from ApProcessId.conf, which is used to secure communication with the C&C server, while the DesktoProcessId serves as a unique identifier within the beaconing URL.

The malware employs a string encryption technique that utilizes the AES algorithm in ECB mode that involves taking two strings as input: one to be encrypted and the other serving as the encryption key. 

The input string is then encrypted using AES, and the resulting ciphertext is encoded in Base64 format. If the encryption process encounters any errors, the original string is returned unchanged.

 The malware encryption process

The analyzed malware communicates with a C&C server using encrypted commands, which offer four functionalities: sleep for a period, execute a PowerShell script and report results, process various sub-commands (read/write wait time, start process, download/upload file), and send an “invalid command type” message upon errors, and all results are sent back to the server. 

It also leverages DNS requests for beaconing after each infection stage, with a unique identifier for the machine and a step number between 1 and 6 indicating the current infection phase. 

 Code snippet showing the malware commands

According to Trend Micro, the malware exhibits sophisticated techniques to evade detection and target Middle Eastern entities. 

It dynamically switches to a newly registered domain resembling a legitimate VPN service to blend with regional traffic, which, combined with social engineering tactics, aims to deceive victims into downloading malicious tools. 

To counter such threats, organizations should prioritize user awareness, implement strict access controls, deploy robust email and web security, and have a well-defined incident response plan.



Source link