Subj : This malware pretends to be a real VPN service to lure in victims To : All From : TechnologyDaily Date : Fri Aug 30 2024 15:15:05 This malware pretends to be a real VPN service to lure in victims Date: Fri, 30 Aug 2024 14:05:00 +0000 Description: Criminals are impersonating Palo Alto tools to drop malware to large enterprises in the Middle East. FULL STORY ====================================================================== Hackers have been found impersonating legitimate, enterprise-grade VPN tools in an attempt to compromise large organizations, deploy additional malware, and possibly exfiltrate sensitive information. A new report from cybersecurity researchers at Trend Micro spotted a fake Palo Alto GlobalProtect program being distributed online. Palo Alto GlobalProtect is a security solution that provides secure remote access to an organization's network. It is designed to ensure that users, whether they are working remotely or on-site, can securely access company resources while maintaining a high level of security. Its key features include a VPN, endpoint security, and threat prevention. Flying under the radar Trend Micro isnt certain how the enterprises ended up downloading and installing the wrong application. They suspect it is being distributed via phishing, but it is also likely that there is some SEO poisoning going on, and that employees are being contacted via instant messaging, too. In any case, when the users run the GlobalProtect.exe file, they get a window that looks like a normal installation, in order not to raise any suspicion. However, in the background, the malware is being loaded, too. It first analyzes the target endpoint to see if its running in a sandbox, and if thats not the case, it runs its primary code. After that, it profiles the device, and sends the information back to its C2 server, encrypted. Trend Micro says this malware goes the extra mile to fly under the radar. For example, the C2 address is newly registered, and contains sharjahconnect strong, to make it appear as if its coming from Palo Altos offices in Sharjah, United Arab Emirates. Furthermore, the malware communicates with the C2 via periodically sent beacons through Interactsh, an open-source tool commonly used by pentesters. Analyzing the malware, the researchers said it is capable of executing PowerShell scripts, downloading and uploading files, and more. Via BleepingComputer More from TechRadar Pro Beware that new VPN you've found could be infected with malware Here's a list of the best firewall software around today These are the best endpoint security tools right now ====================================================================== Link to news story: https://www.techradar.com/pro/security/this-malware-pretends-to-be-a-real-vpn- service-to-lure-in-victims --- Mystic BBS v1.12 A47 (Linux/64) * Origin: tqwNet Technology News (1337:1/100) .