Combine cutting-edge XDR technology, multi-signal threat intelligence and 24/7 Elite Threat Hunters to help you build a world-class security operation.
Our team delivers the fastest response time in the industry. Threat suppression within just 4 hours of being engaged.
Cyber risk and advisory programs that identify security gaps and build security strategies to address them.
24/7 SOC-as-a-Service with unlimited threat hunting and incident handling.
XDR with machine learning that eliminates noise, enables real-time detection and response, and automatically blocks threats.
Seamless integration and threat investigation across your existing tech stack.
Proactive threat intelligence, original threat research and a world-class team of seasoned industry veterans.
Extend your team capabilities and prevent business disruption with expertise from eSentire.
We balance automated blocks with rapid human-led investigations to manage threats.
Guard endpoints by isolating and remediating threats to prevent lateral spread.
Defend brute force attacks, active intrusions and unauthorized scans.
Investigation and threat detection across multi-cloud or hybrid environments.
Remediate misconfigurations, vulnerabilities and policy violations.
Investigate and respond to compromised identities and insider threats.
Stop ransomware before it spreads.
Meet regulatory compliance mandates.
Detect and respond to zero-day exploits.
End misconfigurations and policy violations.
Defend third-party and supply chain risk.
Prevent disruption by outsourcing MDR.
Adopt a risk-based security approach.
Meet insurability requirements with MDR.
Protect your most sensitive data.
Build a proven security program.
Operationalize timely, accurate, and actionable cyber threat intelligence.
THE THREAT In recent weeks, eSentire’s Threat Response Unit (TRU) has traced numerous email account compromise cases to infrastructure hosted on several related hosting…
Dec 10, 2024THE THREATUpdate: Security patches to address this vulnerability were released by Cleo on December 12th. Organizations need to update to Cleo Harmony, VLTrader, and LexiCom versions…
eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 2000+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
We provide sophisticated cybersecurity solutions for Managed Security Service Providers (MSSPs), Managed Service Providers (MSPs), and Value-Added Resellers (VARs). Find out why you should partner with eSentire, the Authority in Managed Detection and Response, today.
Multi-Signal MDR with 300+ technology integrations to support your existing investments.
24/7 SOC-as-a-Service with unlimited threat hunting and incident handling.
Three MDR package tiers are available based on per-user pricing and level of risk tolerance.
The latest security advisories, blogs, reports, industry publications and webinars published by TRU.
Compare eSentire to other Managed Detection and Response vendors to see how we stack up against the competition.
See why 2000+ organizations globally have chosen eSentire for their MDR Solution.
Since November 2022, the eSentire Threat Response Unit (TRU) has observed the resurgence of what we believe to be a malicious campaign targeting the manufacturing, commercial, and healthcare organizations. The campaign is similar to the one reported by Trend Micro researchers in December 2020. The campaign is believed to be conducted by native Russian speaking threat actor(s).
This malware analysis references four separate incidents where our machine-learning PowerShell classifier, Bluesteel detected malicious PowerShell commands executing a script from an attacker hosted domain. It delves deeper into the technical details of how the Resident campaign operates and our security recommendations to protect your organization from being exploited.
The initial infection vector we have observed is a phishing email. It should be noted that the SANS Internet Storm Center has also observed the campaign spreading via drive-by downloads. The threat actor(s) are using email hijacking to deliver the malicious payload with a PDF attachment. The attacker(s) adds the sender domain to Vesta Control Panel to make it look legitimate when the user browses to the domain (Figure 1).
The PDF attachment contains the link to the domain that sends the user to saprefx[.]com domain and based on the geo location of the user, the domain will either redirect the user to the final domain that hosts the JavaScript payload or displays the TeamViewer installer page as shown below (Figure 2).
The JavaScript payload is usually hosted on compromised WordPress websites. An example of the initial JavaScript payload is shown in Figure 3.
After the user opens the JavaScript attachment, the script would directly download and execute the MSI file using InstallProduct method. In our example, the first retrieved MSI installer dropped Terminal_App_Service VBS (Visual Basic Script) file under ProgramData/Cis folder (we also observed the name Imdb.vbs being used (MD5: c3f9b1fa3bcde637ec3d88ef6a350977)).
The VBS file reaches out to the C2 with the serial number of the C drive on the infected machine as a parameter then it retrieves the Windows Installer product and runs it without the user’s knowledge in the background. The script enters the loop where it would continue retrieving and installing the MSI files every 9368 milliseconds (Figure 4).
The retrieved MSI files (we observed approximately 3 MSI files being retrieved originating from the VBS script), contain the tools or scripts to take a screenshot of the host at the time of infection; this is completed with an AutoHotKey script. We have also observed AutoIt, Python scripts, and i_view32.exe tool used to take the screenshot of the host.
During the first campaign, our TRU team observed the threat actor dropping the backdoor, Cobalt Strike payload, and the Python script responsible for taking a screenshot of the host. Here are some of the files that were observed dropped on the endpoint during the first incident:
We have observed persistence techniques being created via Startup. Two shortcut files were created under the Startup folder.
The malicious PowerShell command mentioned before retrieves and executes the PowerShell script from 31.41.244[.]142. The PowerShell script loads kernel32.dll and crypt32.dll via LoadLibraryA and uses the function CryptStringToBinaryA from crypt32.dll to convert the base64 string to a binary format (Figure 10).
It then creates a file mapping of the binary data with the CreateFileMappingA function from kernel32.dll and maps the malicious payload into memory with MapViewOfFile function from the kernel32.dll. Finally, it invokes the mapped binary payload with the Invoke method.
The malicious payload which is the Cobalt Strike loader (MD5: f8d780f77553e7780ebcf917844571b0) enumerates the “powershell.exe” process using CreateToolhelp32Snapshot. It then attempts to request read and write access rights to the process. If it fails to get the access, the payload terminates (Figure 11).
The loader uses API hashing, shown in Figure 12.
Specifically using CRC32 with JAMCRC algorithm to hash the APIs with the 32-bit polynomial 0xEDB88320 that is used in CRC32 checksum table (Figure 13).
The malicious payload initially loads APIs from kernel32.dll, then the rest of the APIs from libraries such as advapi32.dll, wininet.dll and ws2_32.dll. We can create a quick IDAPython script to rename the DWORDs that store the API value (Figure 14).
The loader sample allocates the memory and decodes to MZRE header which is known for Cobalt Strike payloads that use magic_mz_x86 option to override the MZ header. The decoding routing uses a bitwise rotation as shown in Figure 15.
The decoding function can be implemented as follows:
n = 1 for byte in byte_array: b = byte & 255 ror = ((b >> (n & 7)) | (b << (8 - (n & 7)))) & 255 n += 1 print(ror)
The Cobalt Strike configuration is shown below:
{ "BeaconType": [ "HTTP" ], "Port": 80, "SleepTime": 60000, "MaxGetSize": 1048576, "Jitter": 0, "C2Server": "31.41.244[.]142,/g.pixel", "HttpPostUri": "/submit.php", "Malleable_C2_Instructions": [], "SpawnTo": "AAAAAAAAAAAAAAAAAAAAAA==", "HttpGet_Verb": "GET", "HttpPost_Verb": "POST", "HttpPostChunk": 0, "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe", "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe", "CryptoScheme": 0, "Proxy_Behavior": "Use IE settings", "Watermark": 1580103824, "bStageCleanup": "False", "bCFGCaution": "False", "KillDate": 0, "bProcInject_StartRWX": "True", "bProcInject_UseRWX": "True", "bProcInject_MinAllocSize": 0, "ProcInject_PrependAppend_x86": "Empty", "ProcInject_PrependAppend_x64": "Empty", "ProcInject_Execute": [ "CreateThread", "SetThreadContext", "CreateRemoteThread", "RtlCreateUserThread" ], "ProcInject_AllocationMethod": "VirtualAllocEx", "bUsesCookies": "True", "HostHeader": "" }
In this incident, the threat actor(s) deployed their custom written backdoor tool named resident2.exe. The backdoor resident2.exe was dropped from the Cobalt Strike session and designates the end of the infection chain (Figure 17). The tools such as windows-kill.exe that terminates Windows processes and netping.exe (presumably the network ping tool) were also brought onboard by the threat actor.
The files we have observed being dropped from this case:
As you might have noticed, the index.js backdoor is also present in this case. The backdoor session was established via the command hcmd.exe index.js 2094656165.
During the established backdoor session two Cobalt Strike payloads were downloaded from 62.204.41[.]171 via the following commands:
The threat actor(s) also performed reconnaissance with the following commands:
The binary is 32-bit executable written in C programming language. Upon successful execution the binary creates a copy of itself under C:\ProgramData\RtlUpd as RtlUpd.exe. The persistence is achieved via a scheduled task named “RtlUpd” that runs every 10 minutes starting from the time when the binary was first executed (Figure 20).
The strings in the binary are encrypted with RC4 (Figure 21).
The encrypted strings are stored in .rdata section and would skip the first 4 bytes and take the next 4-5 bytes of the hexadecimal string as an RC4 key, the rest of the string would be the encrypted data (Figure 22).
<p>The binary contains the custom base64-encoded and RC4 encrypted string of in the /GET requests as shown in Figure 23.</p>
This function in Figure 24 is retrieving the volume serial number, computer name, and username of the current system. It then base64-encodes the retrieved values.
The CRC32 function in Figure 25 is supposed to calculate the checksum for the computer name and username separately although it produces different checksum values for unknown reasons.
Moving forward, the binary build the string based on the pattern %d|%08X%08X|%d|%d|%d|%d|%hs|%hs which can be translated into
The
The API retrieves the build number if the system is Windows Server 2003 R2, otherwise it would return 0 and if the value is 0 – a1 will hold the value 4 otherwise it will be 6 (Figure 26).
Next, the binary would use generated string pattern and “24de21a8-a70b-4364-82b1-dc08434c93d7” as an RC4 key to produce a value that they will use within the base64-encoding algorithm along with the generated string pattern we mentioned before. The final result is a custom base64-encoded string (Figure 27).
Further analyzing the binary, we noticed that the binary checks if the argument to run the binary contains “/p” and if it does, the binary returns 1 and reaches out C2. If the binary contains 0 arguments, it proceeds with dropping RtlUpd.exe under %ALLUSERSPROFILE%\RtlUpd.
We have noticed that the binary has the capability of dropping RtlUpd.dll as well under %ALLUSERSPROFILE%\RtlUpd and %APPDATA%\RtlUpd, it then schedules the tasks to run the files whether it is RtlUpd.exe or RtlUpd.dll. The reason it performs the checks is to confirm if the copy of the payload already exists on the system (the scheduled task is set to run the binary copy with a “/p” argument) and if the copy exists it simply initiates the C2 connection.
The binary resolves the APIs dynamically as it’s shown in Figure 28.
One of the main functionalities of resident2 binary is the ability to execute the payloads that can be placed by the threat actor(s) during the hands-on intrusion activity or directly retrieved from C2. The binary abuses LOLBAS (Living Off the Land Binaries and Scripts) – shell32 and certutil.exe to run the malicious payloads. The binary checks if the payload has “.exe” or “.dll” extensions.
If the payload is an executable, the command “rundll32.exe shell32.dll,ShellExec_RunDLL %s” would be executed; if the payload is a DLL – the command “rundll32.exe %s, Start“ is set to run, where %s is the payload filename (Figure 29).
eSentire TRU is almost certain one of the function’s functionalities is to run the Cobalt Strike payload deployed by threat actor(s). One of the Cobalt Strike payloads we have analyzed contained the “Start” value as the ordinal.
As for certutil.exe, the “-decode” parameter can be used to decode Base64-encoded data. In our case, the attacker(s) can decode the Base64-encoded payload that is hidden within the certificate file (Figure 30).
The scheduled task would be created to run the payloads using the techniques described above where the class identifier CLSID is calculated based on the name of the payload, its unique identifier and volume serial number (Figure 31).
In this incident, the threat actors initiate their intrusion by abusing wscript.exe to launch the malicious JavaScript file. Additionally, the graphic editor tool i_view32.exe was also dropped to take a screenshot of the infected host. The threat actor also attempted to deploy the Rhadamanthys stealer (Figure 32).
Files dropped:
During the case study #3 (Figure 35), at the end of the infection chain during the established C2 session, the threat actor(s) attempted to run Rhadamanthys Stealer on the host.
The stealer or, to be specific, the loader part of the stealer can be easily identified by the rundll32.exe process spawning from the initial payload with the command pattern: rundll32.exe nsis_uns{hexadecimal_numbers}, PrintUIEntry |5CQkOhmAAAA|1TKr5GsMwYD|67sDqg8OAAl|xYmwxC0TNSO|1k8B3tZkgiyf2sAZQByAG4XAP9sADMAMgAuAKVkHwBs8| {redacted}
The nsis_uns DLL is dropped under the path C:\Users\
Rhadamanthys Stealer first appeared in September 2022 on the Russian speaking forum (Figure 36).
Currently the stealer developer is working on integrating the keylogger plugin into the stealer (Figure 37).
The stealer exfiltrates system information, screenshot, Browser credentials and cookies, crypto wallets, FTP, Mail clients, Two Factor Authentication applications (RoboForm, WinAuth, Authy Desktop), password manager (KeePass), VPN, Messenger data (Psi+, Pidgin, TOX, Discord, Telegram), Steam, TeamViewer SecureCRT, additionally it also exfiltrates NoteFly, Notezilla, Simple Sticky Notes, Windows 7 and 10 Sticky Notes. The stealer admin panel is operated within CentOS 7 (Ubuntu 16) panels.
Some of the crypto wallet extensions that the stealer exfiltrates:
Auvitas Wallet | BitApp | Crocobit |
Exodus | Finnie | GuildWallet |
ICONex | Jaxx | Keplr |
Liquality | MTV Wallet | Math |
Metamask | Mobox | Nifty |
Oxygen | Phantom | Rabet Wallet |
Ronin Wallet | Slope Wallet | Sollet |
Starcoin | Swash | Terra Station |
Tron | XinPay | Yoroi Wallet |
ZilPay Wallet | binance | coin98 |
The stealer can perform brute-force against crypto wallets using the list of custom passwords.
Browsers:
360ChromeX | 360 Secure Browser | 7Star |
AVAST Browser | AVG Browser | Atom |
Avant Browser | BlackHawk | Blisk |
Brave | CCleaner Browser | CentBrowser |
Chedot | CocCoc | Coowon |
Cyberfox | Dragon | Element Browser |
Epic Privacy Browser | Falkon | Firefox |
Firefox Nightly | GhostBrowser | Google Chrome |
Hummingbird | IceDragon | Iridium |
K-Meleont | Kinza | Kometa Browser |
SLBrowser | MapleStudio | Maxthon |
Naver Whale | Opera | Opera GX |
Opera Neon | QQBrowser | SRWare Iron |
SeaMonkey | Sleipnir5 | Slimjet |
Superbird | Twinkstar | UCBrowser |
Xvast | citrio | Pale Moon |
Torch Web Browser | UR Browser | Vivaldi |
Crypto Wallets:
Armory | AtomicWallet | Atomicdex |
Binance Wallet | Bisq | BitcoinCore |
BitcoinGold | Bytecoink | Coinomi wallets |
DashCore | DeFi-Wallet | Defichain-electrum |
Dogecoin | Electron Cash | Electrum |
Electrum-LTC | Ethereum Wallet | Exodus |
Frame | Guarda | Jaxx |
LitecoinCore | Monero | MyCrypto |
MyMonero | Safepay | Solar wallet |
Tokenpocket | WalletWasabi | Zap |
Zcash | Zecwallet Lite |
FTP clients:
Cyberduck | FTP Navigator |
FTPRush | FlashFXP |
Smartftp | TotalCommander |
Winscp | Ws_ftp |
Coreftp |
Mail Clients:
CCheckMail | Claws-mail |
GmailNotifierPro | Mailbird |
Outlook | PostboxApp |
TheBat! | Thunderbird |
TrulyMail | eM Client |
Foxmail |
VPN:
AzireVPN | NordVPN |
OpenVPN | PrivateVPN_Global_AB |
ProtonVPN | WindscribeVPN |
The stealer can retrieve the files on the host via the File Grabber module (Figure 38).
The Extension module contains the functionality to run the PowerShell scripts and download the binaries directly from the Internet via PowerShell (Figure 39).
The Task section allows the stealer to perform certain actions upon execution (Figure 40).
The Server section (Figure 41) contains the main configurations for the stealer such as the option to enable area restrictions. If the option is on, the stealer will not work in countries such as Russia and Ukraine, although the stealer developer mentioned that the stealer will not work in Commonwealth of Independent States (CIS) countries).
In addition, it also configures ports for server-side binding address (the main communication with the C2 including shellcode retrieval after the successful execution) and admin panel binding address (the attacker can change the ports from the default :443 to any other ports for the admin panel access).
The attacker can also change the gateway address which is the directory where the stealer retrieves the shellcode, “/blob” serves as a default directory.
The Build section (Figure 42) specifies how the binary is built including the options to enable anti-debugging, anti VM, launching the executable with administrative privileges and the file pump feature to increase the file size by filling it up with 0s to bypass Antivirus and some sandbox checks. The exfiltrated data is transmitted via WebSocket over the AES256 encrypted channel.
If the Task section is configured, the process
The dllhost.exe is spawned if the Extension module is configured to retrieve additional payloads or run PowerShell scripts/commands.
In this incident, the threat actors first leveraged au3.exe that then spawned a serious of other malicious executables.
Files dropped by the threat actor(s):
After obtaining the backdoor session to the infected machine via the command hcmd.exe index.js 2450639401, the actor(s) ran the systeminfo command to collect detailed system information and attempted to ping the Domain Controller. The threat actor(s) also attempted to pull the Cobalt Strike payload from the server which happens to be also the one hosting Cobalt Strike.
The command line used to retrieve the Cobalt Strike payload from the established backdoor session:
The following is the beacon configuration:
{ "BeaconType": [ "HTTP" ], "Port": 80, "SleepTime": 60000, "MaxGetSize": 1048576, "Jitter": 0, "C2Server": "62.204.41[.]155,/pixel", "HttpPostUri": "/submit.php", "Malleable_C2_Instructions": [], "SpawnTo": "AAAAAAAAAAAAAAAAAAAAAA==", "HttpGet_Verb": "GET", "HttpPost_Verb": "POST", "HttpPostChunk": 0, "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe", "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe", "CryptoScheme": 0, "Proxy_Behavior": "Use IE settings", "Watermark": 1580103824, "bStageCleanup": "False", "bCFGCaution": "False", "KillDate": 0, "bProcInject_StartRWX": "True", "bProcInject_UseRWX": "True", "bProcInject_MinAllocSize": 0, "ProcInject_PrependAppend_x86": "Empty", "ProcInject_PrependAppend_x64": "Empty", "ProcInject_Execute": [ "CreateThread", "SetThreadContext", "CreateRemoteThread", "RtlCreateUserThread" ], "ProcInject_AllocationMethod": "VirtualAllocEx", "bUsesCookies": "True", "HostHeader": "" }
Our TRU team identified a malicious campaign known as Resident, which is believed to be carried out by Russian native-speaking threat actors. The threat actors behind Resident are attempting to infiltrate networks and exfiltrate data from infected machines by using backdoors, Cobalt Strike, and stealers. In particular, they have been observed using the Rhamadanthys stealer, which is known for its stealthy capabilities, instead of other more well-known stealers such as Redline and Vidar.
The threat actors are using these techniques to gain a foothold and propagate across a network laterally, making it difficult for victims to detect or respond quickly. The campaign could cause significant disruption and financial losses for those impacted. As such, eSentire’s Threat Intelligence team in collaboration with TRU have engineered various detection capabilities to detect and prevent Resident infections.
Our Threat Response Unit (TRU) combines threat intelligence obtained from research and security incidents to create practical outcomes for our customers. We are taking a comprehensive response approach to combat modern cybersecurity threats by deploying countermeasures, such as:
Our detection content is supported by investigation runbooks, ensuring our SOC (Security Operations Center) analysts respond rapidly to any intrusion attempts related to a known malware Tactics, Techniques, and Procedures. In addition, TRU closely monitors the threat landscape and constantly addresses capability gaps and conducts retroactive threat hunts to assess customer impact.
We recommend implementing the following controls to help secure your organization against Rhadamanthys stealer and Resident campaign:
While the TTPs used by adversaries grow in sophistication, they lead to a certain level of difficulties at which critical business decisions must be made. Preventing the various attack paths utilized by threat actor(s) requires actively monitoring the threat landscape, developing, and deploying endpoint detection, and the ability to investigate logs & network data during active intrusions.
eSentire’s TRU is a world-class team of threat researchers who develop new detections enriched by original threat intelligence and leverage new machine learning models that correlate multi-signal data and automate rapid response to advanced threats.
If you are not currently engaged with an MDR provider, eSentire MDR can help you reclaim the advantage and put your business ahead of disruption.
Learn what it means to have an elite team of Threat Hunters and Researchers that works for you. Connect with an eSentire Security Specialist.
Name | Indicators |
Initial JS payload | 9a68add12eb50dde7586782c3eb9ff9c |
Initial JS payload | 38f030c2bfa6d74a35e2aeeee0341a244b63d15c200a808f07e3e98e7a841643 |
Resident2.exe | 6e1cdf38adb2d052478c6ed8e06a336a |
nsis_uns.dll | 0b669e2eaf21429d273cf40b096166af |
AutoHotKey | 4685811c853ceaebc991c3a8406694bf |
au3.ahk | a3ee8449df56b6fa545392eff470d77d |
index.js (backdoor) | 5bdb1ac2a38ab3e43601eee055b1983f |
Imdb.vbs | c3f9b1fa3bcde637ec3d88ef6a350977 |
MSI | d741c5622ab1eafc0a7cfa5598a6ce77 |
MSI | 9a1115c0263cbff5a5c87704cc19cf5f |
sdv.vbs | 381afda50832a82a16ee48edf54b620c |
7765676.exe (Cobalt Strike) | f199b4ef3db12ee28a05b74e61cec548 |
index.js (screenshot sender) | 44839c07923d8a37f49782e6a2567950 |
app.js (i_view32.exe runner) | 89e320093ce9d3a9e61e58c1121b76e7 |
i_view32.exe | b103655d23aab7ff124de7ea4fbc2361 |
screen1.pyw | a628240139c04ec84c0e110ede5bb40b |
hcmd.exe | f5182a0fa1f87c2c7538b9d8948ad3ce |
s.au3 (AutoIt script) | b8822d99850ac70cb3de0e1d39639add |
s.vbs | fbe2ed26374be91231f8a9056f28dddd |
windows-kill.exe | de5ecb14c8a2212beb309284b5a62aae |
Cobalt Strike | 62.204.41[.]155 |
Cobalt Strike | 31.41.244[.]142 |
Cobalt Strike | 62.204.41[.]171 |
C2 | 85.192.49[.]106 |
C2 | 89.107.10[.]7 |
C2 | 79.132.128[.]79 |
rule Resident_binary { meta: author = "eSentire Threat Intelligence" date = "2023-01-17" version = "1.0" MD5 = “6e1cdf38adb2d052478c6ed8e06a336a” strings: $certificate_blob = { C7 00 2D 2D 2D 2D C7 40 ?? 2D 42 45 47 C7 40 ?? 49 4E 20 43 C7 40 ?? 45 52 54 49 C7 40 ?? 46 49 43 41 C7 40 ?? 54 45 2D 2D C7 40 ?? 2D 2D 2D 0D C6 40 ?? 0A } $guid_build = { FF 15 ?? ?? ?? ?? 48 8D 0D ?? ?? ?? ?? E8 ?? ?? ?? ?? 41 89 F1 41 89 D8 4C 89 E9 49 89 C4 0F B6 44 24 ?? 89 7C 24 ?? 4C 89 E2 89 44 24 ?? 0F B6 44 24 ?? 89 44 24 ?? 0F B6 44 24 ?? 89 44 24 ?? 0F B6 44 24 ?? 89 44 24 ?? 0F B6 44 24 ?? 89 44 24 ?? 0F B6 44 24 ?? 89 44 24 ?? 0F B6 44 24 ?? 89 44 24 ?? 0F B6 44 24 ?? 89 44 24 ?? FF 15 ?? ?? ?? ?? } condition: any of them } rule Rhadamanthys_Stealer { meta: author = "eSentire Threat Intelligence" date = "2023-01-17" version = "1.0" strings: $shellcode = {37 41 52 51 41 41 41 41 53 43 49 4A 41 51 41 45 41 41 41 42 49 41 49 42} $API1 = "LoadLibraryA" $API2 = "CreateCompatibleBitmap" $API3 = "GetProcAddress" condition: $shellcode and all of ($API*) } rule Rhadamanthys_Stealer { meta: author = "eSentire Threat Intelligence" date = "2023-01-17" version = "1.0" MD5 = "ccefe8680b7d168a9e840d25a6925db3" strings: $shellcode = {37 41 52 51 41 41 41 41 53 43 49 4A 41 51 41 45 41 41 41 42 49 41 49 42} $API1 = "LoadLibraryA" $API2 = "CreateCompatibleBitmap" $API3 = "GetProcAddress" condition: $shellcode and all of ($API*) }
MITRE ATT&CK Tactic |
ID |
MITRE ATT&CK Technique |
Description |
MITRE ATT&CK TacticReconnaissance |
IDT1592 |
MITRE ATT&CK TechniqueGather Victim Host Information |
DescriptionResident performs the reconnaissance on the infected host, for example viewing the members of the "Domain Admins" group in the current domain, IP configurations and the current user's group memberships. It also gathers the information on active processes, caption, command line, creation date, computer name, executable path, OS name, and Windows version |
MITRE ATT&CK TacticInitial Access |
IDT1566.001 |
MITRE ATT&CK TechniquePhishing |
DescriptionResident initial payload is delivered via a phishing email containing an attachment |
MITRE ATT&CK TacticExecutionn |
IDT1059.007 |
MITRE ATT&CK TechniqueCommand and Scripting Interpreter: JavaScript |
DescriptionInitial Resident payload is written in JavaScript |
MITRE ATT&CK TacticPersistence |
IDT1053.005 |
MITRE ATT&CK TechniqueScheduled Task/Job: Scheduled Task |
DescriptionResident creates a copy of itself and schedules a task to run it every 10 minutes starting from the time when the binary was first executed |
MITRE ATT&CK TacticPersistence |
IDT1547.009 |
MITRE ATT&CK TechniqueBoot or Logon Autostart Execution: Shortcut Modification |
DescriptionCUGraphic.lnk is created to run the AutoHotKey and Imdb.vbs scripts |
MITRE ATT&CK TacticCobalt Strike |
IDS0154 |
MITRE ATT&CK Technique |
DescriptionResident deploys Cobalt Strike on the infected hosts |
MITRE ATT&CK TacticCollection |
IDT1113 |
MITRE ATT&CK TechniqueScreen Capture |
DescriptionResident campaign are utilizing various tools to capture the screenshot of the infected host |
The eSentire Threat Response Unit (TRU) is an industry-leading threat research team committed to helping your organization become more resilient. TRU is an elite team of threat hunters and researchers that supports our 24/7 Security Operations Centers (SOCs), builds threat detection models across the eSentire XDR Cloud Platform, and works as an extension of your security team to continuously improve our Managed Detection and Response service. By providing complete visibility across your attack surface and performing global threat sweeps and proactive hypothesis-driven threat hunts augmented by original threat research, we are laser-focused on defending your organization against known and unknown threats.