Combine cutting-edge XDR technology, multi-signal threat intelligence and 24/7 Elite Threat Hunters to help you build a world-class security operation.
Our team delivers the fastest response time in the industry. Threat suppression within just 4 hours of being engaged.
Cyber risk and advisory programs that identify security gaps and build security strategies to address them.
24/7 SOC-as-a-Service with unlimited threat hunting and incident handling.
XDR with machine learning that eliminates noise, enables real-time detection and response, and automatically blocks threats.
Seamless integration and threat investigation across your existing tech stack.
Proactive threat intelligence, original threat research and a world-class team of seasoned industry veterans.
Extend your team capabilities and prevent business disruption with expertise from eSentire.
We balance automated blocks with rapid human-led investigations to manage threats.
Guard endpoints by isolating and remediating threats to prevent lateral spread.
Defend brute force attacks, active intrusions and unauthorized scans.
Investigation and threat detection across multi-cloud or hybrid environments.
Remediate misconfigurations, vulnerabilities and policy violations.
Investigate and respond to compromised identities and insider threats.
Stop ransomware before it spreads.
Meet regulatory compliance mandates.
Detect and respond to zero-day exploits.
End misconfigurations and policy violations.
Defend third-party and supply chain risk.
Prevent disruption by outsourcing MDR.
Adopt a risk-based security approach.
Meet insurability requirements with MDR.
Protect your most sensitive data.
Build a proven security program.
Operationalize timely, accurate, and actionable cyber threat intelligence.
THE THREAT In recent weeks, eSentire’s Threat Response Unit (TRU) has traced numerous email account compromise cases to infrastructure hosted on several related hosting…
Dec 10, 2024THE THREATUpdate: Security patches to address this vulnerability were released by Cleo on December 12th. Organizations need to update to Cleo Harmony, VLTrader, and LexiCom versions…
eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 2000+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
We provide sophisticated cybersecurity solutions for Managed Security Service Providers (MSSPs), Managed Service Providers (MSPs), and Value-Added Resellers (VARs). Find out why you should partner with eSentire, the Authority in Managed Detection and Response, today.
Multi-Signal MDR with 300+ technology integrations to support your existing investments.
24/7 SOC-as-a-Service with unlimited threat hunting and incident handling.
Three MDR package tiers are available based on per-user pricing and level of risk tolerance.
The latest security advisories, blogs, reports, industry publications and webinars published by TRU.
Compare eSentire to other Managed Detection and Response vendors to see how we stack up against the competition.
See why 2000+ organizations globally have chosen eSentire for their MDR Solution.
Adversaries don’t work 9-5 and neither do we. At eSentire, our 24/7 SOCs are staffed with Elite Threat Hunters and Cyber Analysts who hunt, investigate, contain and respond to threats within minutes.
We have discovered some of the most dangerous threats and nation state attacks in our space – including the Kaseya MSP breach and the more_eggs malware.
Our Security Operations Centers are supported with Threat Intelligence, Tactical Threat Response and Advanced Threat Analytics driven by our Threat Response Unit – the TRU team.
In TRU Positives, eSentire’s Threat Response Unit (TRU) provides a summary of a recent threat investigation. We outline how we responded to the confirmed threat and what recommendations we have going forward.
Here’s the latest from our TRU Team…
In July 2024, eSentire's Threat Response Unit (TRU) detected an infection affecting a customer in the government sector. This incident involved multiple malware threats – XWorm, VenomRAT, PureLogs Stealer, and AsyncRAT – leveraging a WebDAV server hosted on TryCloudflare.
WebDAV (Web Distributed Authoring and Versioning) is a protocol that allows users to manage files on remote web servers, making it an effective method for threat actors to host and distribute malicious files because it facilitates easy remote access and file manipulation.
TryCloudflare is a free offering from Cloudflare intended for web development and testing. Its primary use case is the creation of internet-accessible servers proxied through CloudFlare’s infrastructure. The TryCloudflare tool uses a simple command to serve traffic from the internet to a local machine using a randomly generated subdomain under trycloudflare.com.
The initial access vector was a phishing email, like one reported by Security Researcher Germán Fernández. The user received a ZIP archive containing a URL shortcut, which led to a shortcut file (.lnk) hosted on a TryCloudflare-proxied WebDAV server. The shortcut file contained instructions to execute malicious batch files responsible for retrieving and executing additional Python payloads.
The shortcut file leads to the execution of the new.bat file
(MD5: 0d79c56f9198117a98334ead5d033974). Threat actors obfuscated the batch files by prepending the bytes “FF FE 26 40 63 6C 73” to the beginning of the batch file, causing the contents to be interpreted as UTF-16LE encoding (Figure 1).
Upon opening the file in a hex editor, we can see the obfuscation is based on a substitution cipher where characters are not directly stored; instead, they are represented by indices within a predefined key string. Each index refers to a position in this string from which the actual character can be retrieved.
The new.bat file is responsible for the following actions:
The startuppppp.bat file is responsible for running malicious Python files such as 1.py, 2.py, 3.py, 4.py, 5.py and 6.py.
It’s worth noting that the decrypted payloads from the malicious Python files within the DXJS.zip archive are identical to those found in the FTSP.zip archive (Figure 3).
Let’s take a closer look at one of the Python scripts, 2.py
(MD5: a84994e9e9de4fd82f721dbf2c8d9c58). The shellcode is base64-encoded and encrypted with RC4 encryption. The RC4 KSA (Key Scheduling Algorithm) and PRGA (Pseudo-Random Generation Algorithm) algorithms are shown in Figure 4.
After decrypting the shellcode, the malicious Python script executes it directly in memory. The script first allocates a buffer using ctypes.create_string_buffer() to hold the decrypted shellcode. It then changes the protection on this region of memory to PAGE_EXECUTE_READWRITE using VirtualProtect, accessed through the ctypes library. This step allows the previously non-executable memory region to run executable code.
While analyzing the decrypted shellcode (MD5: c741fbaeeb14a9a95d6fb201e9e0bd6e), we found that it appears to be Donut loader leveraging Chaskey cipher implementation.
The decrypted payload (the injector) within the shellcode performs the decryption of another shellcode payload via AES decryption. The initial step involves creating a set of round keys derived from the main encryption key, which are used throughout the decryption process. During decryption, data is handled in blocks, undergoing several transformations.
First, each byte of the block is substituted according to a predefined table, reversing the encryption's scrambling effect.
Next, the positions of bytes within the block are rearranged to their original order. The process also involves mixing the block’s data with the round keys using XOR operations, which combine the data bits with the key bits to undo the encryption. An additional custom function (Figure 5) further modifies the data by performing additional transformations, such as rotations and substitutions.
Finally, another XOR operation is applied to each byte of the data block, ensuring the decryption process is complete.
The injector payload uses direct syscalls (Figure 6) to call native API functions such as NtClose, NtResumeThread, NtAllocateVirtualMemory, NtQuerySystemInformation, NtProtectVirtualMemory, NtDelayExecution, and NtWriteVirtualMemory.
This technique is primarily used to evade Endpoint Detection and Response (EDR) systems and other security monitoring tools.
The injector is also responsible for injecting the decrypted shellcode containing the encrypted final payload into the notepad.exe process via Early Bird APC Queue Code Injection using native APIs such as NtQueueApcThread, NtProtectVirtualMemory, NtWriteVirtualMemory, and NtResumeThread.
The decrypted shellcode containing the encrypted final payload is similar to the initial decrypted shellcode (Donut Loader) we analyzed. The decryption of the final payload also relies on the implementation of the Chaskey cipher within Donut Loader.
We were able to extract the configuration for the final payloads – XWorm, VenomRAT and AsyncRAT. You can access them here, along with indicators of compromise.
In summary, this malware campaign involving XWorm, VenomRAT, PureLogs Stealer, and AsyncRAT was initiated via a phishing email. The threat actors deployed obfuscated batch and encrypted Python files from a WebDAV server to deliver multiple RATs mentioned above.
These scripts executed actions such as launching decoy PDFs, downloading additional malicious payloads, and changing file attributes to avoid detection. A key element of their strategy was using direct syscalls to bypass security monitoring tools, decrypting layers of shellcode, and deploying the Early Bird APC queue injection to stealthily execute code and evade detection effectively.
You can access the indicators of compromise here.
The eSentire Threat Response Unit (TRU) is an industry-leading threat research team committed to helping your organization become more resilient. TRU is an elite team of threat hunters and researchers that supports our 24/7 Security Operations Centers (SOCs), builds threat detection models across the eSentire XDR Cloud Platform, and works as an extension of your security team to continuously improve our Managed Detection and Response service. By providing complete visibility across your attack surface and performing global threat sweeps and proactive hypothesis-driven threat hunts augmented by original threat research, we are laser-focused on defending your organization against known and unknown threats.