Combine cutting-edge XDR technology, multi-signal threat intelligence and 24/7 Elite Threat Hunters to help you build a world-class security operation.
Our team delivers the fastest response time in the industry. Threat suppression within just 4 hours of being engaged.
Cyber risk and advisory programs that identify security gaps and build security strategies to address them.
24/7 SOC-as-a-Service with unlimited threat hunting and incident handling.
XDR with machine learning that eliminates noise, enables real-time detection and response, and automatically blocks threats.
Seamless integration and threat investigation across your existing tech stack.
Proactive threat intelligence, original threat research and a world-class team of seasoned industry veterans.
Extend your team capabilities and prevent business disruption with expertise from eSentire.
We balance automated blocks with rapid human-led investigations to manage threats.
Guard endpoints by isolating and remediating threats to prevent lateral spread.
Defend brute force attacks, active intrusions and unauthorized scans.
Investigation and threat detection across multi-cloud or hybrid environments.
Remediate misconfigurations, vulnerabilities and policy violations.
Investigate and respond to compromised identities and insider threats.
Stop ransomware before it spreads.
Meet regulatory compliance mandates.
Detect and respond to zero-day exploits.
End misconfigurations and policy violations.
Defend third-party and supply chain risk.
Prevent disruption by outsourcing MDR.
Adopt a risk-based security approach.
Meet insurability requirements with MDR.
Protect your most sensitive data.
Build a proven security program.
Operationalize timely, accurate, and actionable cyber threat intelligence.
THE THREAT In recent weeks, eSentire’s Threat Response Unit (TRU) has traced numerous email account compromise cases to infrastructure hosted on several related hosting…
Dec 10, 2024THE THREATUpdate: Security patches to address this vulnerability were released by Cleo on December 12th. Organizations need to update to Cleo Harmony, VLTrader, and LexiCom versions…
eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 2000+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
We provide sophisticated cybersecurity solutions for Managed Security Service Providers (MSSPs), Managed Service Providers (MSPs), and Value-Added Resellers (VARs). Find out why you should partner with eSentire, the Authority in Managed Detection and Response, today.
Multi-Signal MDR with 300+ technology integrations to support your existing investments.
24/7 SOC-as-a-Service with unlimited threat hunting and incident handling.
Three MDR package tiers are available based on per-user pricing and level of risk tolerance.
The latest security advisories, blogs, reports, industry publications and webinars published by TRU.
Compare eSentire to other Managed Detection and Response vendors to see how we stack up against the competition.
See why 2000+ organizations globally have chosen eSentire for their MDR Solution.
Adversaries don’t work 9-5 and neither do we. At eSentire, our 24/7 SOCs are staffed with Elite Threat Hunters and Cyber Analysts who hunt, investigate, contain and respond to threats within minutes.
We have discovered some of the most dangerous threats and nation state attacks in our space – including the Kaseya MSP breach and the more_eggs malware.
Our Security Operations Centers are supported with Threat Intelligence, Tactical Threat Response and Advanced Threat Analytics driven by our Threat Response Unit – the TRU team.
In TRU Positives, eSentire’s Threat Response Unit (TRU) provides a summary of a recent threat investigation. We outline how we responded to the confirmed threat and what recommendations we have going forward.
Here’s the latest from our TRU Team…
Our Threat Response Unit (TRU) has observed DUCKTAIL, a malware operation discovered by WithSecure in 2022, within a customer’s environment. The DUCKTAIL malware contains general information stealing capabilities with a focus on Facebook Business accounts.
Operators are known to locate and target individuals likely to have access to these accounts, primarily businesses or individuals responsible for ad services, such as members of marketing teams.
LinkedIn is commonly used to identify and engage targets of interest. In one recent incident, a marketing specialist was contacted via LinkedIn messaging about possible freelance work for a major hotel chain.
After some back and forth, the target was sent a password protected .rar archive containing several decoy files and a shortcut payload.
The freelance advertisement lure is in line with DUCKTAIL’s historical lures, which focus on marketing/advertising plans and job offers (see table below)
Payload Name |
First Seen |
SPECIALIST_AGENCY_JOB-DETAILS_FOR_JULY_INTERVIEW_2023.pdf.lnk.lnk |
2023-07-12 |
PASSION FACEBOOK ADS SPECIALIST - JOB DETAILS.pdf.lnk |
2023-07-05 |
BRANDSTYLE FACEBOOK ADS SPECIALIST - JOB DETAILS.pdf.lnk |
2023-07-04 |
JD MARKETING FLIGHTPATH.pdf.lnk |
2023-07-04 |
AthletikanAU_Makerting_ Plan_2023.pdf.lnk |
2023-06-09 |
Details of Project Marketing Plan.lnk |
2023-04-21 |
In early July 2023, TRU identified several DUCKTAIL cases, including the LinkedIn example above. In the most recent case, the user was sent a .rar file PASSION FACEBOOK ADS SPECIALIST - JOB DETAILS.rar
which contained a handful of PNG images and a .lnk (shortcut) file masquerading as a PDF.
Examining the .lnk metadata using ExifTool shows it will execute PowerShell commands in a hidden window. The metadata shows a Machine ID “desktop-oalig8v” and Drive Serial Number “7838-8B0E”, both of which are linked to other .lnk samples on public malware repositories.
The PowerShell commands are slightly obfuscated using string replacement methods. Its function is to download two files from impressiondigitals[.]agency:
Decoy PDF:
impressiondigitals[.]agency/files2/PASSION FACEBOOK ADS SPECIALIST - JOB DETAILS.lnk (MD5: 83ecbfdfa31f9934338a0f5b5edfdcfa)
HawkEyes Payload:
impressiondigitals[.]agency/files2/LViS Store Marketing.lnk
The decoy PDF is a fake job offer for a Facebook Ads Specialist and replaces the malicious .lnk file on disk and is then opened automatically during the next step.
The payload 83ecbfdfa31f9934338a0f5b5edfdcfa
is an unsigned .NET executable originally named “HawkEyes”. We’ll call this first stage HawkEyes loader.
The first stage payload performs several anti-analysis checks, such as debugging tools (Figure 8), number of running processes and common malware sandbox attributes.
After anti-analysis checks are passed, it decompresses data stored in resource file HawkEyes.Res1
, modifies it by adding random bytes and saves it to the user’s documents folder with a random number between 50 and 100 appended to it. The new payload is then started.
HawkEyes also contains code to create or remove itself from the startup folder and registry.
The new file is another .NET payload (MD5: DCAF0652E1602ECAEDAB32F078C993C9
). This payload appears to contain the majority of the functionality familiar with DUCKTAIL malware.
DUCKTAIL’s .NET payloads have undergone several changes, and much of the second stage payload is obfuscated. Thankfully its functionality can still be gleaned from memory analysis, where strings are cleartext, base64 encoded and double base64 encoded.
It collects various information about the system using WMI commands and headless chrome to retrieve network and browser information from whatismybrowser[.]com
and ip-api[.]com.
This information is stored in “System Information.txt”
Browser data is also collected from the victim’s registry via HKEY_LOCAL_MACHINE\Software\WOW6432Node\Clients\StartMenuInternet.
One possible reason for collecting this information is to closely emulate the system to avoid detection by the target website when connecting with stolen account information.
Data sought by this malware is not unlike general purpose stealers. Double base64-encoded memory strings show various files and identifiers tied to browsing information, including saved credit cards, cookies, bookmarks, and encrypted logins. We also see strings associated with decrypting stored web credentials.
This data appears to be stored in various text files and exfiltrated to the C2. This data is exfiltrated via a Telegram Bot at hxxps://api[.]telegram[.]org/bot6335344897:AAEtQ0t_5DOwFvdUwdvpybdn5a4vHpEegu8/sendDocument
within an encrypted zip file.
Finally, we see diagnostic output related to collection of Facebook business accounts:
DUCKTAIL is known to target Facebook Ad and Business accounts. Operators will use stolen login data to add email addresses to Facebook Business accounts. When emails are added, a registration link is generated by which the threat actor can grant themselves access.
DUCKTAIL uses the victim’s machine to interact with the Facebook API endpoints and configure new email addresses. These email addresses are retrieved from the Telegram C2 at hxxps://api[.]telegram[.]org/bot6335344897:AAEtQ0t_5DOwFvdUwdvpybdn5a4vHpEegu8/getUpdates.
Accessing this endpoint does not require authentication and email addresses appear to rotate on set intervals.
The common structure of these email accounts ([email protected]) would suggest these are generated by threat actors and not compromised accounts.
There are several possibilities for monetizing compromised Facebook Business accounts. Researchers from Deep Instinct recently suggested these accounts could be used to set up imitation business pages and scam unsuspecting customers. Another possibility is that threat actors are pushing white-label products at inflated prices using ads paid for by the victim organization.
Indicator |
Note |
impressiondigitals[.]agency |
DUCKTAIL Payloads |
83ecbfdfa31f9934338a0f5b5edfdcfa |
HawkEyes Loader |
42673cf1b1f567fc253faeacd2aa735f |
Malicious Shortcut File |
82d0715fa0f84a7c45d99139cb2426a9 |
|
5feb0735d92802c3230c446a2c27c3b7 |
|
58c258ecab10c0f26d7909d02d00fe87 |
|
e83c4393e80895f1b94f03c5d58c44cf |
|
73b29193268a6f3dabaeed55bbe06ce6 |
|
4371dd1befab05b5b673f69d0b5654f0 |
|
65b40cc7cbe61336ef543cf9659a0691 |
|
bfda65faf863eaddd063d24c17520b28 |
The eSentire Threat Response Unit (TRU) is an industry-leading threat research team committed to helping your organization become more resilient. TRU is an elite team of threat hunters and researchers that supports our 24/7 Security Operations Centers (SOCs), builds threat detection models across the eSentire XDR Cloud Platform, and works as an extension of your security team to continuously improve our Managed Detection and Response service. By providing complete visibility across your attack surface and performing global threat sweeps and proactive hypothesis-driven threat hunts augmented by original threat research, we are laser-focused on defending your organization against known and unknown threats.