BleepingComputer reports that organizations across the Middle East have been targeted in attacks with information-stealing and network-infiltrating malware masquerading as the Palo Alto GlobalProtect VPN security solution.
Attackers deliver phishing emails luring targets into installing the fraudulent GlobalProtect tool, which when executed triggers in-background malware loading during the setup process, according to a Trend Micro report. Machine sandbox operation has also been monitored by malware prior to primary code execution and the eventual transmission of machine details to the attacker-controlled command-and-control server, which was registered with a "sharjahconnect" string-containing URL to masquerade as a legitimate VPN portal for offices across the City of Sharjah in the United Arab Emirates and conceal malicious activities, said Trend Micro researchers. Researchers also discovered that malware used in the attack was able to run commands that would enable PowerShell script execution, file wait time read or write, file uploads and downloads, and time-set operational pauses.