Get all your news in one place.
100’s of premium titles.
One app.
Start reading
TechRadar
TechRadar
Sead Fadilpašić

This malware pretends to be a real VPN service to lure in victims

Laptop with warning symbols over the keyboard.

Hackers have been found impersonating legitimate, enterprise-grade VPN tools in an attempt to compromise large organizations, deploy additional malware, and possibly exfiltrate sensitive information.

A new report from cybersecurity researchers at Trend Micro spotted a fake Palo Alto GlobalProtect program being distributed online.

Palo Alto GlobalProtect is a security solution that provides secure remote access to an organization's network. It is designed to ensure that users, whether they are working remotely or on-site, can securely access company resources while maintaining a high level of security. Its key features include a VPN, endpoint security, and threat prevention.

Flying under the radar

Trend Micro isn’t certain how the enterprises ended up downloading and installing the wrong application. They suspect it is being distributed via phishing, but it is also likely that there is some SEO poisoning going on, and that employees are being contacted via instant messaging, too.

In any case, when the users run the ‘GlobalProtect.exe’ file, they get a window that looks like a normal installation, in order not to raise any suspicion. However, in the background, the malware is being loaded, too. It first analyzes the target endpoint to see if it’s running in a sandbox, and if that’s not the case, it runs its primary code.

After that, it profiles the device, and sends the information back to its C2 server, encrypted.

Trend Micro says this malware goes the extra mile to fly under the radar. For example, the C2 address is newly registered, and contains “sharjahconnect” strong, to make it appear as if it’s coming from Palo Alto’s offices in Sharjah, United Arab Emirates.

Furthermore, the malware communicates with the C2 via periodically sent beacons through Interactsh, an open-source tool commonly used by pentesters.

Analyzing the malware, the researchers said it is capable of executing PowerShell scripts, downloading and uploading files, and more.

Via BleepingComputer

More from TechRadar Pro

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.