GootLoader Hackers Are Compromising Employees of Law and Accounting Firms, Warns eSentire
GootLoader Gang Launches Wide-Spread Cyberattacks Enticing Legal and Accounting Employees to Download Malware
eSentire, the industry’s leading Managed Detection and Response (MDR) cybersecurity provider, is warning law and accounting firms of a wide-spread GootLoader hacker campaign. In the past three weeks and as recently as January 6, eSentire’s threat hunters have intercepted and shut down…
eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 1000+ organizations in 70+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
Telarus and eSentire Expand Partnership to Safeguard Enterprises Globally Against Business Disrupting Ransomware and Zero-Day Attacks
London, UK and Sydney, Australia– Oct. 28, 2021 - eSentire, recognized globally as the Authority in Managed Detection and Response (MDR), today announces the expansion of its partnership with Telarus, the largest privately-held distributor of business cloud infrastructure and contact centre services. Building on their mutual success across North America, Telarus will bring eSentire’s Managed…
Our award-winning partner program offers financial rewards, sales and marketing tools and personalized training. Accelerate your business and grow your revenue by offering our world-class Managed Detection and Response (MDR) services.
Adversaries don’t work 9-5 and neither do we. At eSentire, our 24/7 SOCs are staffed with Elite Threat Hunters and Cyber Analysts who hunt, investigate, contain and respond to threats within minutes.
We have discovered some of the most dangerous threats and nation state attacks in our space – including the Kaseya MSP breach and the more_eggs malware.
Our Security Operations Centers are supported with Threat Intelligence, Tactical Threat Response and Advanced Threat Analytics driven by our Threat Response Unit – the TRU team.
In TRU Positives, eSentire’s Threat Response Unit (TRU) provides a summary of a recent threat investigation. We outline how we responded to the confirmed threat and what recommendations we have going forward.
Here’s the latest from our TRU Team…
What did we find?
Recent Dridex malware documents that attempt to self-replicate using Excel 4.0 macros.
In this context, self-replicate indicates that recent samples of the malware documents contained a function that provided the capability to automatically email a copy of the workbook to a list of targets.
Dridex first appeared in 2014 and is a banking trojan commonly distributed via emails containing malicious Microsoft Office documents.
Figure 1 The observed Dridex malware document
The functionality of recent malicious Excel documents can be described in two stages:
The VBScript downloads a Dridex DLL payload from the Discord chat service and saves it with an MP4 file extension in C:\ProgramData\ folder before executing it with rundll32.exe.
Figure 2 Excel Macro, Stage 1
Stage 2: The macro contacts a remote host and saves the response to a text file before calling the SEND.MAIL function.
Figure 3 Excel Macro, Stage 2
SEND.MAIL is a documented Excel 4.0 macro function which sends the active workbook to a list of email addresses supplied as an argument.
Figure 4 SEND.MAIL Reference
The macro will contact the Command and Control (C2), retrieve a list of email addresses, and then supply them to the SEND.MAIL function, which attempts to email a copy of the workbook. The C2 list contains thousands of addresses and responds with a different set each time it is contacted.
In testing, this self-replicating technique had limited success, and some researchers have speculated that the email function is a decoy.
However, the Dridex operators have since taken steps to better protect their email list generator from unwelcome visitors, which could indicate the feature is of value to the Dridex operators.
TRU team members analyzed the associated documents and command-and-control infrastructure and confirmed existing detection identified this Dridex malware document.
TRU compared more than 90,000 unique target emails from the exposed email generator described in Figure 3 to existing customers and notified those on the list.
What can you learn from this TRU positive?
Malware authors are continually searching for ways to efficiently spread their malware. Using compromised assets as a jumping point for malware distribution is advantageous as it leverages trusted networks, thus increasing the chance for subsequent emails to evade reputation-based filters. Threats such as Emotet have found success employing stolen emails for malware delivery.
While simple and efficient, the effectiveness of the Excel email function remains unproven.
Some threat actors have shifted away from email-based delivery in favor of watering-hole attacks, but email remains a popular initial access vector. User training is critical in ensuring this content is identified and reported by staff.
Recommendations from our Threat Response Unit (TRU) Team:
Employ email filtering and protection measures
Implement anti-spoofing measures such as DMARC and SPF.
Employ an MFA solution to reduce impact of compromised credentials.
Train users to identify and report suspicious emails, including from trusted contacts.
Protect endpoints against malware
Ensure antivirus signatures are up-to-date.
Use a Next-Gen AV (NGAV) or Endpoint Detection and Response (EDR) product to detect and contain threats.
Do I have an email security solution capable of identifying and preventing malicious Dridex emails?
Is endpoint monitoring in place to identify malware that does reach a user’s machine?
If you’re not currently engaged with a Managed Detection and Response provider, we highly recommend you partner with us for security services in order to disrupt threats before they impact your business.
Want to learn more? Connect with an eSentire Security Specialist.