Combine cutting-edge XDR technology, multi-signal threat intelligence and 24/7 Elite Threat Hunters to help you build a world-class security operation.
Our team delivers the fastest response time in the industry. Threat suppression within just 4 hours of being engaged.
Cyber risk and advisory programs that identify security gaps and build security strategies to address them.
24/7 SOC-as-a-Service with unlimited threat hunting and incident handling.
XDR with machine learning that eliminates noise, enables real-time detection and response, and automatically blocks threats.
Seamless integration and threat investigation across your existing tech stack.
Proactive threat intelligence, original threat research and a world-class team of seasoned industry veterans.
Extend your team capabilities and prevent business disruption with expertise from eSentire.
We balance automated blocks with rapid human-led investigations to manage threats.
Guard endpoints by isolating and remediating threats to prevent lateral spread.
Defend brute force attacks, active intrusions and unauthorized scans.
Investigation and threat detection across multi-cloud or hybrid environments.
Remediate misconfigurations, vulnerabilities and policy violations.
Investigate and respond to compromised identities and insider threats.
Stop ransomware before it spreads.
Meet regulatory compliance mandates.
Detect and respond to zero-day exploits.
End misconfigurations and policy violations.
Defend third-party and supply chain risk.
Prevent disruption by outsourcing MDR.
Adopt a risk-based security approach.
Meet insurability requirements with MDR.
Protect your most sensitive data.
Build a proven security program.
Operationalize timely, accurate, and actionable cyber threat intelligence.
THE THREAT On November 12th, Citrix disclosed two separate vulnerabilities identified in Citrix Session Recording, which impacted multiple versions of Citrix Virtual Apps and…
Oct 23, 2024THE THREAT On October 23rd, Fortinet disclosed an actively exploited critical zero-day vulnerability impacting multiple versions for FortiManager. The vulnerability, tracked…
eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 2000+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
We provide sophisticated cybersecurity solutions for Managed Security Service Providers (MSSPs), Managed Service Providers (MSPs), and Value-Added Resellers (VARs). Find out why you should partner with eSentire, the Authority in Managed Detection and Response, today.
Multi-Signal MDR with 300+ technology integrations to support your existing investments.
24/7 SOC-as-a-Service with unlimited threat hunting and incident handling.
Three MDR package tiers are available based on per-user pricing and level of risk tolerance.
The latest security advisories, blogs, reports, industry publications and webinars published by TRU.
Compare eSentire to other Managed Detection and Response vendors to see how we stack up against the competition.
See why 2000+ organizations globally have chosen eSentire for their MDR Solution.
eSentire, the leading global provider of Managed Detection and Response (MDR) services, had previously tracked two malicious campaigns (titled Gootloader and SolarMarker) that targeted business professionals using Google Search throughout 2021, and now eSentire researchers have identified a third campaign that is employing RedLine Stealer, an info-stealer. According to eSentire’s security research team, the Threat Response Unit (TRU), this latest campaign relies on the use of malicious Google Ads and web pages that replicate the legitimate download page for secure chat applications, such as Signal (Image 5). Using the fake Signal page, this malicious campaign’s objective is to socially engineer victims into downloading and executing Redline Stealer. Stolen information can be sold on the dark web or directly used in further intrusions and fraud campaigns. Similar malicious Google ad campaigns have recently been observed using AnyDesk, DropBox and Telegram as lures.
In January 2021, following an unfavorable update to its Terms of Service, users abandoned WhatsApp for alternatives; those users primarily migrated to Signal and Telegram (See image 1), according to analysts. In an article in the London Guardian, during the first three weeks of January, Signal gained 7.5 million users globally, according to figures shared by the UK parliament’s home affairs committee, and Telegram gained 25 million in the UK. Shortly after, cybercriminals leveraged Signal and Telegram’s resulting market gains to deploy malicious Google Ads. (See Image 2, 3, 4). For example, when the victim clicks on the malicious ad for Signal the computer user is taken to an exact replica of Signal’s download page (See Image 5). Using both endpoint and log data, the TRU observed contact with these ad domains preceding the installation and execution of RedLine Stealer (Image 7-10). In the case of Telegram (Images 9-10), the file name was no more descriptive than “SETUP”, but soon after the incident, the user downloaded a legitimate version of Telegram, supporting the hypothesis that the user was looking for a version of Telegram to download.
Evidence that the fake, ad-based Signal page is malicious is as follows: Most of the links do not work on the fake Signal page but do on the real Signal page. Secondly, the download button on the fake page (the one button that works) depends on an unknown php script controlled on the server side; the fake Signal page delivered an outdated version of Signal when TRU attempted the download, potentially a result of the server detecting the security tools used (Box 1). Thirdly, the top-level domains for the fake Signal download page are not standard top-level domains. Finally, all the suspicious ads share hosting provider, NameCheap. An analysis of registration and hosting parameters across a sample of suspicious sites of the “same structure” (as defined by Urlscan) demonstrates the potential for multiple malvertising campaigns (Figure 11).
The threat group behind this campaign likely created this fake Signal page to further convince the victim that they are visiting Signal’s actual website. Instead of receiving the installer, they are served AutoIT scripts (a Windows program used to automate different functions) which then deploys RedLine Stealer.
The TRU observed four cyber incidents at two different organizations from late March to early April. One company is in the legal profession, while the other is in the real estate industry. Interestingly, when a TRU researcher clicked on the malicious Web Ads and attempted to download the Signal installer, the researcher was served an older version (1.40.1) of Signal and Signal’s icon, through a suspicious PHP script, from the legitimate Signal website (signal.org). TRU’s hypothesis is that they were not served RedLine because the threat actors’ infrastructure can detect visitors coming from Virtual Machines, as opposed to an actual computer. One potential indicator that the Google ad is part of this campaign is that the malicious Google ads often contain suspicious looking top-level domains (TLDs) such as .digital, .link, .store and .club, but include the name of the targeted chat app in their domain (e.g. desktop-signal.store).
The threat actors who launched these malicious campaignswould have had to spend money purchasing Google ads. The cost of these ads depend on many variables, including the popularity of the keyword (e.g. Signal, Telegram, Viber) and the willingness of other advertisers to pay for that keyword in their ads. Although we do not know the total amount the cybercriminals spent on the Google ads, we do know that purchasing the keyword “Telegram” can run .40 USD per click, while the keyword “Signal” can cost up to $1.40 USD per click. It is possible that financing for these ad purchases were themselves sourced by earnings from previous malicious campaigns.
These latest incidents are a further example of how drive-by- downloads are becoming a popular attack vector in 2021. Threat actors are developing their capability around hijacking computer users as they conduct business via Google Search. In the past six months, we have seen three different campaigns involving threat actors targeting unsuspecting computer users and business professionals with malicious Google Search results. Besides the RedLine campaign mentioned here, campaigns include the SolarMarker threat, where business professionals were being lured to hacker-controlled websites, hosted on Google Sites, in search of free templates for business forms, such as invoices, questionnaires and receipts. More recently, the TRU observed a campaign leveraging Gootloader, which tried to infect business professionals by enticing them to web pages which purportedly hosted examples of different business agreements.
About RedLine Stealer Malware
According to research firm Proofpoint, the RedLine Stealer malware first appeared on Russian Underground markets in March 2020. Proofpoint reported that the malware was being offered for sale with several pricing options including a lite version for $150, $200 for the pro version, or a $100 monthly subscription option. RedLine steals login credentials from Internet browsers, passwords and credit card data. It has also been reported that it is able to steal cryptocurrency cold wallets. Redline also pulls information about the computer user, their device including the username, their location, hardware configuration and installed security software.
Key Takeaways:
Comments from Spence Hutchinson, Manager of Threat Intelligence for eSentire
“Threat actors continue to spend time and money to capture and infect as many victims as possible. They are spending money to purchase Google ads (although they could be using stolen credit cards to purchase the ad space), and they have spent time creating believable ads and almost exact replicas of the download pages for some of the most popular secure chat applications, e.g., Signal, Telegram, Viber, etc. said Spence Hutchinson, Manager of Threat Intelligence for eSentire. This signals to our research team that:
Image 1: A jump in Google searches for Telegram and Signal following the news of WhatsApp’s change in terms of service.
Image 2. Suspicious ads resulting when the word “signal” is searched on
Image 3: Suspicious ads resulting when the word “Telegram” is searched
Image 4: Suspicious ads resulting when the word “Viber” is searched
Image 5: Malicious page (http://desktop-signal[.]digital/) masquerading as the legitimate Signal download page. Download references PHP script presumably used for filtering.
Image 6: As of April 21, http://desktop-signal[.]digital is marked as phishing by CloudFlare
Image 7: Via log data, Suspicious ad domain minutes before activation of Fake Signal.
Image 8: RedLine Stealer spawns from the alleged Signal download, titled SIGNAL-WIN-53973.EXE
Image 9: Suspicious ad domain minutes before activation of a Setup file
Image10: Setup file leading to RedLine Stealer behavior
Image 11: Registration and infrastructure properties of suspicious ads
For more information about this threat and how to protect against it go to https://www.esentire.com/get-started