This malware pretends to be a real VPN service to lure in victims

Criminals are impersonating Palo Alto solutions to drop malware

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Hackers have been found impersonating legitimate, enterprise-gradeVPNtools in an attempt to compromise large organizations, deploy additional malware, and possibly exfiltrate sensitive information.

A new report from cybersecurity researchers at Trend Micro spotted a fake Palo Alto GlobalProtect program being distributed online.

Palo Alto GlobalProtect is a security solution that provides secure remote access to an organization’s network. It is designed to ensure that users, whether they are working remotely or on-site, can securely access company resources while maintaining a high level of security. Its key features include a VPN, endpoint security, and threat prevention.

Flying under the radar

Trend Micro isn’t certain how the enterprises ended up downloading and installing the wrong application. They suspect it is being distributed via phishing, but it is also likely that there is someSEOpoisoning going on, and that employees are being contacted via instant messaging, too.

In any case, when the users run the ‘GlobalProtect.exe’ file, they get a window that looks like a normal installation, in order not to raise any suspicion. However, in the background, the malware is being loaded, too. It first analyzes the target endpoint to see if it’s running in a sandbox, and if that’s not the case, it runs its primary code.

After that, it profiles the device, and sends the information back to its C2 server, encrypted.

Trend Micro says this malware goes the extra mile to fly under the radar. For example, the C2 address is newly registered, and contains “sharjahconnect” strong, to make it appear as if it’s coming from Palo Alto’s offices in Sharjah, United Arab Emirates.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Furthermore, themalwarecommunicates with the C2 via periodically sent beacons through Interactsh, an open-source tool commonly used by pentesters.

Analyzing the malware, the researchers said it is capable of executing PowerShell scripts, downloading and uploading files, and more.

ViaBleepingComputer

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

A new form of macOS malware is being used by devious North Korean hackers

Scammers are using fake copyright infringement claims to hack businesses

Google puts Nvidia on high alert as it showcases Trillium, its rival AI chip, while promising to bring H200 Tensor Core GPUs within days