Cybersecurity experts have identified a new malware campaign targeting users by disguising itself as the Palo Alto Networks GlobalProtect VPN tool. The malware poses a significant threat by executing remote PowerShell commands, downloading and exfiltrating files, encrypting communications, and evading sandbox detection, according to a recent report.
The malware employs a sophisticated two-stage process that begins by creating a connection to a fake command-and-control (C2) server, which appears to be a legitimate company VPN portal.
This setup allows attackers to operate undetected, blending in with normal network traffic. Although the exact method of initial infection is not yet confirmed, it is believed that phishing tactics are being used to trick users into downloading the fake GlobalProtect agent.
The attack begins with a file named “setup.exe” that installs a primary backdoor called “GlobalProtect.exe.” Once deployed, this backdoor initiates communication with the malware operators to signal its progress.
During the first stage, the malware also deploys two additional configuration files, “RTime.conf” and “ApProcessId.conf,” which are used to extract system details such as IP address, operating system, username, machine name, and other information, and send it to a remote C2 server (94.131.108[.]78).
To avoid detection, the malware employs evasion techniques that check specific file paths and file types before executing its main code, effectively bypassing behavior analysis and sandbox solutions.
The backdoor also acts as a gateway for uploading files, downloading further malicious payloads, and running remote commands via PowerShell. The malware communicates with its C2 server using the Interactsh open-source project, adding another layer of stealth.
Additionally, the malware redirects its activities to a newly registered domain, “sharjahconnect,” which appears to be named after the emirate of Sharjah in the UAE. This domain is designed to mimic a legitimate VPN portal, allowing the malware’s malicious traffic to blend in with regional network activity and further evade detection.
To protect against such threats, organizations should regularly update their cybersecurity protocols and educate employees about phishing tactics. Using multi-factor authentication, monitoring network traffic for unusual patterns, and employing advanced threat detection tools can help identify and mitigate these types of malware.