Watch Out for Fake Palo Alto Tool Spreading Advanced Malware

Home/Compromised, Exploitation, malicious cyber actors, Malware, Security Advisory, Security Update/Watch Out for Fake Palo Alto Tool Spreading Advanced Malware

Watch Out for Fake Palo Alto Tool Spreading Advanced Malware

A sophisticated malware is threatening organizations in the Middle East by disguising itself as the legitimate Palo Alto GlobalProtect tool.

It uses a two-stage infection process and advanced command-and-control (C&C) infrastructure. The malware utilizes the Interactsh project for communication, executes remote PowerShell commands, downloads and exfiltrates files, and evades sandbox detection.

How the Fake Palo Alto Tool Malware works?

The malware’s ability to stay hidden through a fake VPN portal and its potential for causing serious damage make it a major cybersecurity threat.

The malware, likely delivered through phishing, starts with a setup.exe file. It installs GlobalProtect.exe and configuration files in the C:\Users(UserName)\AppData\Local\Programs\PaloAlto\ directory.

GlobalProtect.exe then connects to a remote server, updating the attacker on the infection progress using specific hostnames.

To avoid detection, the malware checks the process file path and file details before running its main code, evading sandbox analysis.

The malware checks its environment to see if it’s running in a sandbox and adjusts its behavior to avoid detection and analysis.

The malware gathers system details from the victim’s machine, such as IP address, operating system info, username, machine name, and sleep time from the RTime.conf file. It also retrieves the DesktoProcessId and encryption key from ApProcessId.conf, which secure communication with the C&C server. The DesktoProcessId is used as a unique identifier in the beaconing URL.

The malware encrypts strings using AES in ECB mode, where one string is encrypted and another is used as the key. The encrypted string is then encoded in Base64. If there are any errors in encryption, the original string is used instead.

The malware communicates with a C&C server using encrypted commands, which allow it to: sleep for a period, run a PowerShell script and report results, handle various sub-commands (like read/write wait time, start processes, download/upload files), and send an “invalid command type” message if there are errors. All results are sent back to the server.

Additionally, it uses DNS requests for beaconing after each infection stage, with a unique machine identifier and a step number from 1 to 6 to show the current phase of infection.

Trend Micro reports that the malware uses advanced techniques to avoid detection and specifically targets entities in the Middle East.

  • Train Users: Regularly teach employees about social engineering and how to spot it.
  • Limit Access: Only give employees access to the data and systems they need.
  • Secure Email and Web: Use tools to block harmful content in emails and on the web.
  • Have a Response Plan: Create a clear plan to handle social engineering attacks quickly.

‍Follow Us on: Twitter, InstagramFacebook to get the latest security news!

Post Views: 157
By | 2024-08-29T21:37:52+05:30 August 29th, 2024|Compromised, Exploitation, malicious cyber actors, Malware, Security Advisory, Security Update|

About the Author:

FirstHackersNews- Identifies Security

Related Posts

Leave A Comment

Subscribe to our newsletter to receive security tips everday!