Threat Actors Target the Middle East Using Fake Palo Alto GlobalProtect Tool

Using the Interactsh project for beaconing purposes

The malware leverages the Interactsh project for beaconing purposes. After each phase of the malware infection, it sends a DNS request to the following domain:

Step[1-6]-{dsktoProcessId}.tdyfbwxngpmixjiqtjjote3k9qwc31dsx.oast.fun

Here, dsktoProcessId is a unique identifier for the machine, while Step[1-6] varies from step 1 to step 6, corresponding to each phase of the malware’s operation, ranging from collecting machine information to successfully executing commands received from the C&C server.

Conclusion

The malware sample we examined, which likely targets entities within the Middle East, reveals a sophisticated use of C&C infrastructure and advanced evasion techniques.

Our findings include the following:

1. Using dynamic C&C infrastructure: The malware pivots to a newly registered URL, “sharjahconnect” (likely referring to the UAE emirate Sharjah), designed to resemble a legitimate VPN portal for a company based in the UAE. This tactic is designed to allow the malware’s malicious activities to blend in with expected regional network traffic and enhance its evasion characteristics.
2. Domain masquerading: By mimicking a familiar regional service, the attackers exploit trust relationships, increasing the likelihood of successful C&C communications.
3. Geopolitical targeting: The domain’s regional specificity and the origin of the submission suggest a targeted campaign against Middle Eastern entities, possibly for geopolitical or economic espionage.
4. Using newly registered domains: Using fresh domains for C&C activities allows attackers to bypass blacklists and makes attribution more complicated.

It’s likely that the threat actor made use of social engineering to lure victims into downloading fake tools and services. Given the widespread use of social engineering in cybercrime, defending against it should be a priority for both organizations and individual users. This requires a multi-faceted approach that combines education, policy, technology, and vigilance. Here are some recommendations to help safeguard against social engineering:

User awareness and training: Conducting regular training sessions on the various types of social engineering attacks, providing updates on new tactics and trends in social engineering, and educating employees to recognize common red flags can help prevent users from falling victim to social engineering lures.

Principle of least privilege: Granting employees access only to the data and systems they need for their roles minimizes the chance of attackers gaining access to vital information even during a successful breach.

Email and web security: Organizations should deploy robust email and web security solutions to filter and block malicious and suspicious content.

Incident response plan: A well-defined incident response plan is crucial for organizations to be able to handle social engineering attacks. This includes the immediate steps to contain and mitigate the threat.

Organizations can also consider powerful security technologies such as Trend Vision One™ , which offers multilayered protection and behavior detection, helping block malicious tools and services before they can inflict damage on user machines and systems.

The following V1 Detection quary can be used to check the presence of the GLOBALSHADOW binary:

malName:* GLOBALSHADOW* AND eventName:MALWARE_DETECTION

Indicators of Compromise (IOCs)The indicators of compromise for this entry can be found here.

Read More HERE