Combine cutting-edge XDR technology, multi-signal threat intelligence and 24/7 Elite Threat Hunters to help you build a world-class security operation.
Our team delivers the fastest response time in the industry. Threat suppression within just 4 hours of being engaged.
Cyber risk and advisory programs that identify security gaps and build security strategies to address them.
24/7 SOC-as-a-Service with unlimited threat hunting and incident handling.
XDR with machine learning that eliminates noise, enables real-time detection and response, and automatically blocks threats.
Seamless integration and threat investigation across your existing tech stack.
Proactive threat intelligence, original threat research and a world-class team of seasoned industry veterans.
Extend your team capabilities and prevent business disruption with expertise from eSentire.
We balance automated blocks with rapid human-led investigations to manage threats.
Guard endpoints by isolating and remediating threats to prevent lateral spread.
Defend brute force attacks, active intrusions and unauthorized scans.
Investigation and threat detection across multi-cloud or hybrid environments.
Remediate misconfigurations, vulnerabilities and policy violations.
Investigate and respond to compromised identities and insider threats.
Stop ransomware before it spreads.
Meet regulatory compliance mandates.
Detect and respond to zero-day exploits.
End misconfigurations and policy violations.
Defend third-party and supply chain risk.
Prevent disruption by outsourcing MDR.
Adopt a risk-based security approach.
Meet insurability requirements with MDR.
Protect your most sensitive data.
Build a proven security program.
Operationalize timely, accurate, and actionable cyber threat intelligence.
THE THREAT In recent weeks, eSentire’s Threat Response Unit (TRU) has traced numerous email account compromise cases to infrastructure hosted on several related hosting…
Dec 10, 2024THE THREATUpdate: Security patches to address this vulnerability were released by Cleo on December 12th. Organizations need to update to Cleo Harmony, VLTrader, and LexiCom versions…
eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 2000+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
We provide sophisticated cybersecurity solutions for Managed Security Service Providers (MSSPs), Managed Service Providers (MSPs), and Value-Added Resellers (VARs). Find out why you should partner with eSentire, the Authority in Managed Detection and Response, today.
Multi-Signal MDR with 300+ technology integrations to support your existing investments.
24/7 SOC-as-a-Service with unlimited threat hunting and incident handling.
Three MDR package tiers are available based on per-user pricing and level of risk tolerance.
The latest security advisories, blogs, reports, industry publications and webinars published by TRU.
Compare eSentire to other Managed Detection and Response vendors to see how we stack up against the competition.
See why 2000+ organizations globally have chosen eSentire for their MDR Solution.
eSentire, a leading cybersecurity solutions provider, is warning enterprises and individuals that a hacking group is spearphishing business professionals on LinkedIn with fake job offers in an effort to infect them with a sophisticated backdoor Trojan. Backdoor trojans give threat actors remote control over the victim’s computer, allowing them to send, receive, launch and delete files.
eSentire’s research team, the Threat Response Unit (TRU), discovered that hackers are spearphishing victims with a malicious zip file using the job position listed on the target’s LinkedIn profile. For example, if the LinkedIn member’s job is listed as Senior Account Executive—International Freight the malicious zip file would be titled Senior Account Executive—International Freight position (note the “position” added to the end). Upon opening the fake job offer, the victim unwittingly initiates the stealthy installation of the fileless backdoor, more_eggs. Once loaded, the sophisticated backdoor can download additional malicious plugins and provide hands-on access to the victim’s computer. The threat group behind more_eggs, Golden Chickens, sell the backdoor under a malware- as- a- service(MaaS) arrangement to other cybercriminals. Once more_eggs is on the victim’s computer system, the Golden Eggs seedy customers can go in and infect the system with any type of malware: ransomware, credential stealers, banking malware, or simply use the backdoor as a foothold into the victim’s network so as to exfiltrate data.
“What is particularly worrisome about the more_eggs activity is that it has three elements which make it a formidable threat to businesses and business professionals,” said Rob McLeod, Sr. Director of the Threat Response Unit (TRU) for eSentire. They are:
1. It uses normal Windows processes to run so it is not going to typically be picked up by anti-virus and automated security solutions so it is quite stealthy.
2.Including the target’s job position from LinkedIn in the weaponized job offer increases the odds that the recipient will detonate the malware.
3.Since the COVID pandemic, unemployment rates have risen dramatically. It is a perfect time to take advantage of job seekers who are desperate to find employment. Thus, a customized job lure is even more enticing during these troubled times.
These three elements make more_eggs, and the cybercriminals which use this backdoor very lethal.”
In the spearphishing incident, which the TRU team disrupted, the target was a professional working in the healthcare technology industry. Upon downloading and executing the alleged job file, the TRU team saw that the victim unwittingly executed VenomLNK, an initial stage of more_eggs. By abusing Windows Management Instrumentation , VenomLNK enables the malware’s plugin loader, TerraLoader, which then hijacks legitimate Windows processes, cmstp and regsvr32. (See Image 1). While TerraLoader is being initiated, a decoy word document is presented to the victim. The document is designed to impersonate a legitimate employment application, (See Image 2) but it serves no functional purpose in the infection. It is merely used to distract the victim from the ongoing background tasks of more_eggs. TerraLoader then installs msxsl in the user’s roaming profile and loads the payload, TerraPreter, an ActiveX control (.ocx file) downloaded from Amazon Web Services. At this point, TerraPreter begins beaconing to a Command & Control server (C2) via the rogue copy of msxsl. The beacon signals that the more_eggs backdoor is ready for Golden Chicken’s customer to log in and begin carrying out their goal, whether it is to infect the victim with additional malware, such as ransomware, or to get a foothold into the victim’s network so as to exfiltrate data. eSentire’s security analysts disrupted the operation, and the TRU began investigating.
More_eggs maintains a stealthy profile by abusing legitimate Windows processes and feeds those process instructions via script files. Additionally, campaigns using the MaaS offering appear to be sparse and selective in comparison to typical malspam distribution networks. Because of the stealth and spearphishing capabilities of the more_eggs operation, the Golden Chickens threat group enjoys patronage from notable advanced threat groups, such as FIN6, Cobalt Group and Evilnum.
Thus far, the TRU team has not discovered forensics indicating the identity of the hacking group which is trying to spearphish the LinkedIn members. However, as mentioned, this malware-as a service has been used by three notable threat groups: FIN6, Cobalt Group and Evilnum.
Since this spearphishing attack was disrupted, the TRU team cannot know with certainty what the end game is for this incident. What we do know is that this current activity mirrors an eerily similar campaign which was reported in February 2019, where U.S. retail, entertainment and pharmaceutical companies, which offer online shopping, were targeted. The threat actors went after employees of these companies with fake job offers, cleverly using the job title listed on their LinkedIn profiles, in their communications to the employees. Similar to the current incident, they also used malicious email attachments and if the target clicked on the attachment, they got hit by more_eggs.
FIN6- FIN6 is a financial cybercrime group that primarily steals payment card data and sells it on underground marketplaces. The FIN6 group first gained notoriety in 2014 for their attacks against point- of- sale (POS) machines in retail outlets and hospitality companies. Continuing their quest for credit and debit card data, they later moved on to targeting e-Commerce companies and stole their credit card data via online skimming. The FIN6 threat group has also been known to infect some of their victims with ransomware.
Interestingly, researchers reported in Feb. 2019 that FIN6 was specifically targeting numerous e-Commerce companies and using malicious documents to infect their targets with more_eggs as the initial phase of their attack. This could be the same campaign, which was reported in Feb. 2019 and which we previously mentioned--- in which threat actors were observed attacking retail, entertainment and pharmaceutical companies’ online payments systems and using malicious documents, laden with more_eggs, to target the companies’ employees. Of course, it could be a separate campaign entirely. However, what we do know is that the targets (eCommerce companies) and tools (more_eggs) were used in both reported attack campaigns.
Later that year, in August 2019, security researchers found that the FIN6 group began another malicious campaign. The researchers believe the FIN6 threat actors were actively going after multinational organizations. Similar to the current incident, FIN6 spearphished specific employees with fake job offers. If the targets fell for the lure, they too were infected with the more_eggs backdoor.
Evilnum- The Evilnum cybercrime group is best known for compromising financial technology companies, companies that provide stock trading platforms and tools. Their target is financial information about the targeted FINTECH companies and their customers. They target items such as spreadsheets and documents with customer lists, investments and trading operations and credentials for trading software/platforms and software.
Coincidentally, the Evilnum group is also known to spearphish employees of the companies they are targeting and enclose malicious zip files. If executed, the employees get hit with the more_eggs backdoor, along with other malware.
Cobalt Group- The Cobalt Group is also known to go after financial companies, and it has repeatedly used the more_eggs backdoor in their attacks.
The LinkedIn member is in the healthcare technology sector.
Image1: An outline of how the more_eggs backdoor behaves once it is initiated by the victim.
Image 2: Word document which poses as an employment application which is served up to the business professional once they download the zip file which alleges to be a job offer.
C2 beacon: d27qdop2sa027t.cloudfront[.]net
Download Server: ec2-13-58-146-177.us-east-2.compute.amazonaws[.]com
.zip hash: 776c355a89d32157857113a49e516e74
Ipconfig: cmd /v /c ipconfig /all > "C:\Users\<REDACTED>\AppData\Local\Temp\64813.txt" 2>&1
regsvr32 /s /u "C:\Users\<REDACTED>\AppData\Roaming\Microsoft\<REDACTED>.ocx”
sh = new ActiveXObject("Shell.Application")
sh.ShellExecute("msxsl.exe", "<REDACTED>.txt <REDACTED>.txt", "C:\Users\<REDACTED>\AppData\Roaming\Microsoft\", "", 0)
evlinum js: C:\Users\<REDACTED>\AppData\Roaming\Microsoft\57930.ocx