Combine cutting-edge XDR technology, multi-signal threat intelligence and 24/7 Elite Threat Hunters to help you build a world-class security operation.
Our team delivers the fastest response time in the industry. Threat suppression within just 4 hours of being engaged.
Cyber risk and advisory programs that identify security gaps and build security strategies to address them.
24/7 SOC-as-a-Service with unlimited threat hunting and incident handling.
XDR with machine learning that eliminates noise, enables real-time detection and response, and automatically blocks threats.
Seamless integration and threat investigation across your existing tech stack.
Proactive threat intelligence, original threat research and a world-class team of seasoned industry veterans.
Extend your team capabilities and prevent business disruption with expertise from eSentire.
We balance automated blocks with rapid human-led investigations to manage threats.
Guard endpoints by isolating and remediating threats to prevent lateral spread.
Defend brute force attacks, active intrusions and unauthorized scans.
Investigation and threat detection across multi-cloud or hybrid environments.
Remediate misconfigurations, vulnerabilities and policy violations.
Investigate and respond to compromised identities and insider threats.
Stop ransomware before it spreads.
Meet regulatory compliance mandates.
Detect and respond to zero-day exploits.
End misconfigurations and policy violations.
Defend third-party and supply chain risk.
Prevent disruption by outsourcing MDR.
Adopt a risk-based security approach.
Meet insurability requirements with MDR.
Protect your most sensitive data.
Build a proven security program.
Operationalize timely, accurate, and actionable cyber threat intelligence.
THE THREAT On November 12th, Citrix disclosed two separate vulnerabilities identified in Citrix Session Recording, which impacted multiple versions of Citrix Virtual Apps and…
Oct 23, 2024THE THREAT On October 23rd, Fortinet disclosed an actively exploited critical zero-day vulnerability impacting multiple versions for FortiManager. The vulnerability, tracked…
eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 2000+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
We provide sophisticated cybersecurity solutions for Managed Security Service Providers (MSSPs), Managed Service Providers (MSPs), and Value-Added Resellers (VARs). Find out why you should partner with eSentire, the Authority in Managed Detection and Response, today.
Multi-Signal MDR with 300+ technology integrations to support your existing investments.
24/7 SOC-as-a-Service with unlimited threat hunting and incident handling.
Three MDR package tiers are available based on per-user pricing and level of risk tolerance.
The latest security advisories, blogs, reports, industry publications and webinars published by TRU.
Compare eSentire to other Managed Detection and Response vendors to see how we stack up against the competition.
See why 2000+ organizations globally have chosen eSentire for their MDR Solution.
Adversaries don’t work 9-5 and neither do we. At eSentire, our 24/7 SOCs are staffed with Elite Threat Hunters and Cyber Analysts who hunt, investigate, contain and respond to threats within minutes.
We have discovered some of the most dangerous threats and nation state attacks in our space – including the Kaseya MSP breach and the more_eggs malware.
Our Security Operations Centers are supported with Threat Intelligence, Tactical Threat Response and Advanced Threat Analytics driven by our Threat Response Unit – the TRU team.
In TRU Positives, eSentire’s Threat Response Unit (TRU) provides a summary of a recent threat investigation. We outline how we responded to the confirmed threat and what recommendations we have going forward.
Here’s the latest from our TRU Team…
In May 2024, eSentire's Threat Response Unit (TRU) detected an instance of fake updates delivering BitRAT and Lumma Stealer.
Fake browser updates have been responsible for numerous malware infections, including those of the well-known SocGholish malware. In April 2024, we observed FakeBat being distributed via similar fake update mechanisms.
The infection chain began when the user visited an infected webpage containing injected malicious JavaScript code (Figure 1).
Upon loading the compromised page, the injected malicious JavaScript code is triggered, which directs the user to the fake update page (Figure 2). After cleaning up the code, we found redirect code hidden within the JavaScript (Figure 3). The redirected site can only be accessed if the HTTP referrer matches the original malicious web page.
The chatgpt-app[.]cloud site contains a download link to a Zip archive called ‘Update.zip’, which is automatically downloaded onto the victim’s device. The archive is hosted on Discord’s Content Distribution Network (CDN) (Figure 4).
The fake browser update lure has become common amongst attackers as a means of entry to a device or network. The JavaScript file (Update.js) contained within the ZIP archive acts as an initial downloader to retrieve the payloads once executed by the victim. The archive contains several PowerShell scripts responsible for downloading and executing the next stage loader and payloads from http://77[.]221[.]151[.]31.
In the incident observed, there were multiple PowerShell scripts following the execution of Update.js, as seen in Figure 5 below:
The IP address identified in the PowerShell script is a known BitRAT Command-and-Control (C2) address, which hosts both the BitRAT and Lumma Stealer payloads. The files have the extension .png, but contain the loader, persistence mechanisms, and the payloads.
There were four unique files identified in this attack, all of which serve different purposes:
Starting with z.png, the PowerShell script bypasses AMSI, renames the payload 0x.png to 0x.log, hides it in the C:\Users\Public directory, and sets it to run at startup by modifying the Registry Run Key. It also retrieves and executes a.png, the loader and BitRAT payload (Figure 6).
The 0x.log (0x.png) payload contains an additional PowerShell script which acts as a persistence mechanism for the BitRAT payload file, a.png. The 0x.log file downloads a.png and executes it (Figure 7).
The two files containing the malicious payloads a.png and s.png include an AMSI bypass, the code that leverages reflection in .NET to dynamically load and execute the payload within RegSvcs.exe process (Figure 8).
There are two parts to the payload files, a.png and s.png – the loader portion and the payload. The loader mechanism appears to be almost the same in both files; the only difference seems to be the hash itself.
The loader is a .NET portable executable (PE) file, obfuscated using Crypto Obfuscator (5.x). The loader is tasked with loading the decrypted payload binary from the files PowerShell script and injecting it into RegSvcs.exe (Figure 9).
BitRAT is a feature-rich remote access tool with capabilities such as two modes of connections (direct reverse connection and Tor connection), UAC exploit for elevated privileges, process protection, and the ability to manage over 10,000 clients efficiently.
It offers a binder that binds up to 5 files, a remote browser feature supporting Chrome, password recovery for various applications, XMR miner for cryptocurrency mining, reverse proxy using SOCKS4 mode, remote desktop access, webcam live feed, file manager with zip compression, keylogger functions, audio live feed, and SOCKS5 proxy support.
The BitRAT sample analyzed in this case was UPX packed and contained an encrypted configuration. The configuration data is decrypted using the following steps:
The decrypted configuration:
Lumma Stealer, also known as LummaC2 Stealer, is an information stealing malware developed in C language. It has been operating as a Malware-as-a-Service in Russian-speaking forums since August 2022. Created by the threat actor "Shamel" using the alias "Lumma", this malware targets cryptocurrency wallets, 2FA browser extensions, and other sensitive data on victims' machines.
The stolen data is sent to a C2 server via HTTP POST requests with the user agent beginning with "Mozilla/5.0". Additionally, Lumma Stealer includes a non-resident loader capable of deploying further malicious payloads in EXE, DLL, and PowerShell formats.
This article will focus solely on the major sections of Lumma Stealer, as eSentire has previously covered it in detail.
There are notable strings found in Lumma Stealer’s C2 communication, including the version and Lumma ID (lid), also referred to as the build ID, which uniquely identifies Lumma (Figure 10).
The payload includes the user-agent used by the malware (Figure 11).
Another parameter, "act," reveals that it has been initialized with the value “life,” used to check-in with the C2 (Figure 12).
The sample contains 9 embedded domains used for C2 communications, seen as base64 encoded strings in Figure 13, left. During runtime, the C2 domains are extracted using the routine shown in Figure 13 and described below.
The C2 domain list decryption function is outlined as follows:
We have released a script that performs these operations for the above strings and produces the C2 domains, which is available here.
The decrypted configuration includes the following C2 domains:
The use of fake updates to deliver a variety of malware displays the operator's ability to leverage trusted names to maximize reach and impact. The .NET loader being the same in both payload files shows the likelihood of the fake update loader being a malware delivery service. The malware payload is likely interchangeable and will result in a variety of different types being loaded in similar incidents in the future.
Our 24/7 SOC Cyber Analysts investigated the suspicious activities, notified the client, and isolated the affected device.
You can access the indicators of compromise here.
The eSentire Threat Response Unit (TRU) is an industry-leading threat research team committed to helping your organization become more resilient. TRU is an elite team of threat hunters and researchers that supports our 24/7 Security Operations Centers (SOCs), builds threat detection models across the eSentire XDR Cloud Platform, and works as an extension of your security team to continuously improve our Managed Detection and Response service. By providing complete visibility across your attack surface and performing global threat sweeps and proactive hypothesis-driven threat hunts augmented by original threat research, we are laser-focused on defending your organization against known and unknown threats.