Hackers Exploit Palo Alto Disguise for Data Theft and Network Infiltration

Hackers are employing malware disguised as the Palo Alto GlobalProtect tool, which can steal data and execute remote PowerShell commands to further infiltrate internal networks. Organizations in the Middle East have fallen victim to these attacks.

The use of Palo Alto GlobalProtect as bait indicates that the attackers are targeting corporate entities that utilize enterprise-level software, rather than random users.

Trend Micro specialists, who uncovered the campaign, suggest that the attack likely began with a phishing email, though the exact method of malware delivery remains unknown. The victim runs a file named “setup.exe,” which then deploys another file, “GlobalProtect.exe,” along with configuration files. At this point, a window simulating the GlobalProtect installation process appears on the screen, while in the background, the malware quietly infiltrates the system.

Once executed, the malware checks whether it is running in a sandbox environment before initiating its main code. The virus then transmits information about the compromised device to a C2 server. To further protect against detection, the malware uses AES encryption for transmitted strings and data packets.

Notably, the URL of the C2 server was recently registered and contains the string “sharjahconnect,” resembling a legitimate VPN portal for offices in Sharjah, UAE. This choice of URL helps cybercriminals camouflage their activities as legitimate operations, reducing the likelihood that the victim will suspect anything amiss.

To communicate with its operators after infection, the malware periodically sends signals using the legitimate open-source tool Interactsh. Although Interactsh is commonly used by penetration testers, its domain “oast.fun” has also been observed in campaigns by APT groups. It is worth noting that no specific attribution has been made in this operation.

The C2 server can issue various commands to the infected device, including:

• Pausing the malware’s operation for a specified time;
• Executing a PowerShell script and sending the result back to the C2 server;
• Downloading a file from a specified URL;
• Uploading a file to a remote server.

Trend Micro researchers observed that although the attackers remain unidentified, the operation appears highly targeted. The use of custom URLs for specific targets and newly registered C2 server domains aids hackers in bypassing blocklists.