216.73.217.22

Threat Actors Target the Middle East Using Fake Palo Alto GlobalProtect Tool

· Published 30/08/2024 08:16 · Modified 30/08/2024 08:37

Export JSON

Essential information

Published
30/08/2024 08:16
Modified
30/08/2024 08:37
Tags
2024-08-30 cnc evasion globalprotect globalprotect.exe malware phishing
Related entities
1 vulnerabilities (cve), 5 observables, 5 techniques (mitre), 1 malware, 1 others

Description

Cybercriminals are employing a sophisticated two-stage campaign masquerading as the Palo Alto tool to infiltrate systems in the Middle East region. The leverages a complex command-and-control infrastructure, involving newly registered domains designed to resemble legitimate VPN portals. It utilizes the Interactsh project for beaconing and maintains stealth through encryption and sandbox techniques, enabling remote code execution, payload deployment, and data exfiltration on compromised hosts.

Related entities

Vulnerabilities, IOCs, intrusion sets, MITRE techniques and other entities referenced in this report.

Vulnerabilities (CVE) (1)

CVE-2023-22527 KEV
9.8 Critical

Atlassian Confluence Data Center and Server contain an unauthenticated OGNL template injection vulnerability that can lead to remote code execution.

Attack vector
Network
Published
24/01/2024
Modified
21/12/2025

Observables (5)

  • 94.131.108.78
  • http://94.131.108.78:7118/B/hi/
  • http://94.131.108.78:7118/B/desktop/
  • portal.sharjahconnect.online
  • tdyfbwxngpmixjiqtjjote3k9qwc31dsx.oast.fun

Techniques (MITRE) (5)

  • T1608
    Stage Capabilities
  • T1105
    Ingress Tool Transfer
  • T1071
    Application Layer Protocol
  • T1027
    Obfuscated Files or Information
  • T1059
    Command and Scripting Interpreter

Malware (1)

Others (1)

  • United Arab Emirates

External references