Date: 08/30/2024
Severity: Medium
Summary
The report "Threat Actors Target the Middle East Using Fake Palo Alto GlobalProtect Tool" describes how cybercriminals are using a counterfeit version of the Palo Alto GlobalProtect security tool to exploit vulnerabilities in Middle Eastern organizations. These threat actors craft a fake tool that mimics the legitimate GlobalProtect software to deceive users into installing it. Once installed, the malicious software can facilitate unauthorized access, data theft, and further compromise of network security. This highlights the need for vigilance against phishing and malware disguised as trusted applications.
Indicators of Compromise (IOC) List
URL/Domain | http://94.131.108.78:7118/B/hi/ portal.sharjahconnect.online http://94.131.108.78:7118/B/desktop/ tdyfbwxngpmixjiqtjjote3k9qwc31dsx.oast.fun |
IP Address | 94.131.108.78 |
Hash |
72CDD3856A3FFD530DB50E0F48E71F089858E44F
79B38C4BE5AC888E38EC5F21AC3710F3D0936A72 |
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
URL/Domain | userdomainname like "http://94.131.108.78:7118/B/hi/" or url like "http://94.131.108.78:7118/B/hi/" or userdomainname like "portal.sharjahconnect.online" or url like "portal.sharjahconnect.online" or userdomainname like "http://94.131.108.78:7118/B/desktop/" or url like "http://94.131.108.78:7118/B/desktop/" or userdomainname like "tdyfbwxngpmixjiqtjjote3k9qwc31dsx.oast.fun" or url like "tdyfbwxngpmixjiqtjjote3k9qwc31dsx.oast.fun" |
IP Address | dstipaddress IN ("94.131.108.78") or ipaddress IN ("94.131.108.78") or publicipaddress IN ("94.131.108.78") or srcipaddress IN ("94.131.108.78") |
Hash |
sha1hash IN ("72CDD3856A3FFD530DB50E0F48E71F089858E44F","79B38C4BE5AC888E38EC5F21AC3710F3D0936A72") |
Reference:
https://www.trendmicro.com/en_us/research/24/h/threat-actors-target-middle-east-using-fake-tool.html