Cyber risk and advisory programs that identify security gaps and build strategies to address them.
MDR that provides improved detection, 24/7 threat hunting, end-to-end coverage and most of all, complete Response.
Our team delivers the fastest response time in the industry. Threat suppression within just 4 hours of being engaged.
Visibility and response across your entire Microsoft security ecosystem.
XDR with Machine Learning that eliminates noise, enables real-time detection and response, and automatically blocks threats.
Be protected by the best from Day 1.
24/7 Threat Investigation and Response.
Expert threat hunting, original research, and proactive threat intelligence.
TRU is foundational to our MDR service. No add-ons or additional costs required.
Stop ransomware attacks before they disrupt your business.
Detect and respond to zero-day exploits.
Protect against third-party and supply chain risk.
Adopt a risk-based approach to cybersecurity.
Protect your most sensitive data.
Meet cybersecurity regulatory compliance mandates.
Eliminate misconfigurations and policy violations.
Prevent business disruption by outsourcing MDR.
Defend brute force attacks, active intrusions and unauthorized scans.
Safeguard endpoints 24/7 by isolating and mediating threats to prevent lateral spread.
Enhance investigation and threat detection across multi-cloud or hybrid environments.
Remediate critical misconfigurations, security vulnerabilities and policy violations across cloud and containerized environments.
Detect malicious insider and identity-based behavior leveraging machine learning models.
Our Threat Response Unit (TRU) publishes security advisories, blogs, reports, industry publications and webinars based on its original research and the insights driven through proactive threat hunts.
eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 2000+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company's mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
We provide sophisticated cybersecurity solutions for Managed Security Service Providers (MSSPs), Managed Service Providers (MSPs), and Value-Added Resellers (VARs). Find out why you should partner with eSentire, the Authority in Managed Detection and Response, today.
We believe a multi-signal approach is paramount to protecting your complete attack surface. See why eSentire MDR means multi-signal telemetry and complete response.
See how our 24/7 SOC Cyber Analysts and Elite Threat Hunters stop even the most advanced cyberattacks before they disrupt your business.
Choose the right mix of Managed Detection and Response, Exposure Management, and Incident Response services to strengthen your cyber resilience.
Try our interactive tools including the MITRE ATT&CK Tool, the SOC Pricing Calculator, the Cybersecurity Maturity Assessment, and our MDR ROI Calculator.
Read the latest security advisories, blogs, reports, industry publications and webinars published by eSentire's Threat Response Unit (TRU).
See why 2000+ organizations count on eSentire to build resilience and prevent business disruption.
Adversaries don’t work 9-5 and neither do we. At eSentire, our 24/7 SOCs are staffed with Elite Threat Hunters and Cyber Analysts who hunt, investigate, contain and respond to threats within minutes.
We have discovered some of the most dangerous threats and nation state attacks in our space – including the Kaseya MSP breach and the more_eggs malware.
Our Security Operations Centers are supported with Threat Intelligence, Tactical Threat Response and Advanced Threat Analytics driven by our Threat Response Unit – the TRU team.
In TRU Positives, eSentire’s Threat Response Unit (TRU) provides a summary of a recent threat investigation. We outline how we responded to the confirmed threat and what recommendations we have going forward.
Here’s the latest from our TRU Team…
Our Threat Response Unit (TRU) has observed DUCKTAIL, a malware operation discovered by WithSecure in 2022, within a customer’s environment. The DUCKTAIL malware contains general information stealing capabilities with a focus on Facebook Business accounts.
Operators are known to locate and target individuals likely to have access to these accounts, primarily businesses or individuals responsible for ad services, such as members of marketing teams.
LinkedIn is commonly used to identify and engage targets of interest. In one recent incident, a marketing specialist was contacted via LinkedIn messaging about possible freelance work for a major hotel chain.
After some back and forth, the target was sent a password protected .rar archive containing several decoy files and a shortcut payload.
The freelance advertisement lure is in line with DUCKTAIL’s historical lures, which focus on marketing/advertising plans and job offers (see table below)
Payload Name |
First Seen |
SPECIALIST_AGENCY_JOB-DETAILS_FOR_JULY_INTERVIEW_2023.pdf.lnk.lnk |
2023-07-12 |
PASSION FACEBOOK ADS SPECIALIST - JOB DETAILS.pdf.lnk |
2023-07-05 |
BRANDSTYLE FACEBOOK ADS SPECIALIST - JOB DETAILS.pdf.lnk |
2023-07-04 |
JD MARKETING FLIGHTPATH.pdf.lnk |
2023-07-04 |
AthletikanAU_Makerting_ Plan_2023.pdf.lnk |
2023-06-09 |
Details of Project Marketing Plan.lnk |
2023-04-21 |
In early July 2023, TRU identified several DUCKTAIL cases, including the LinkedIn example above. In the most recent case, the user was sent a .rar file PASSION FACEBOOK ADS SPECIALIST - JOB DETAILS.rar
which contained a handful of PNG images and a .lnk (shortcut) file masquerading as a PDF.
Examining the .lnk metadata using ExifTool shows it will execute PowerShell commands in a hidden window. The metadata shows a Machine ID “desktop-oalig8v” and Drive Serial Number “7838-8B0E”, both of which are linked to other .lnk samples on public malware repositories.
The PowerShell commands are slightly obfuscated using string replacement methods. Its function is to download two files from impressiondigitals[.]agency:
Decoy PDF:
impressiondigitals[.]agency/files2/PASSION FACEBOOK ADS SPECIALIST - JOB DETAILS.lnk (MD5: 83ecbfdfa31f9934338a0f5b5edfdcfa)
HawkEyes Payload:
impressiondigitals[.]agency/files2/LViS Store Marketing.lnk
The decoy PDF is a fake job offer for a Facebook Ads Specialist and replaces the malicious .lnk file on disk and is then opened automatically during the next step.
The payload 83ecbfdfa31f9934338a0f5b5edfdcfa
is an unsigned .NET executable originally named “HawkEyes”. We’ll call this first stage HawkEyes loader.
The first stage payload performs several anti-analysis checks, such as debugging tools (Figure 8), number of running processes and common malware sandbox attributes.
After anti-analysis checks are passed, it decompresses data stored in resource file HawkEyes.Res1
, modifies it by adding random bytes and saves it to the user’s documents folder with a random number between 50 and 100 appended to it. The new payload is then started.
HawkEyes also contains code to create or remove itself from the startup folder and registry.
The new file is another .NET payload (MD5: DCAF0652E1602ECAEDAB32F078C993C9
). This payload appears to contain the majority of the functionality familiar with DUCKTAIL malware.
DUCKTAIL’s .NET payloads have undergone several changes, and much of the second stage payload is obfuscated. Thankfully its functionality can still be gleaned from memory analysis, where strings are cleartext, base64 encoded and double base64 encoded.
It collects various information about the system using WMI commands and headless chrome to retrieve network and browser information from whatismybrowser[.]com
and ip-api[.]com.
This information is stored in “System Information.txt”
Browser data is also collected from the victim’s registry via HKEY_LOCAL_MACHINE\Software\WOW6432Node\Clients\StartMenuInternet.
One possible reason for collecting this information is to closely emulate the system to avoid detection by the target website when connecting with stolen account information.
Data sought by this malware is not unlike general purpose stealers. Double base64-encoded memory strings show various files and identifiers tied to browsing information, including saved credit cards, cookies, bookmarks, and encrypted logins. We also see strings associated with decrypting stored web credentials.
This data appears to be stored in various text files and exfiltrated to the C2. This data is exfiltrated via a Telegram Bot at hxxps://api[.]telegram[.]org/bot6335344897:AAEtQ0t_5DOwFvdUwdvpybdn5a4vHpEegu8/sendDocument
within an encrypted zip file.
Finally, we see diagnostic output related to collection of Facebook business accounts:
DUCKTAIL is known to target Facebook Ad and Business accounts. Operators will use stolen login data to add email addresses to Facebook Business accounts. When emails are added, a registration link is generated by which the threat actor can grant themselves access.
DUCKTAIL uses the victim’s machine to interact with the Facebook API endpoints and configure new email addresses. These email addresses are retrieved from the Telegram C2 at hxxps://api[.]telegram[.]org/bot6335344897:AAEtQ0t_5DOwFvdUwdvpybdn5a4vHpEegu8/getUpdates.
Accessing this endpoint does not require authentication and email addresses appear to rotate on set intervals.
The common structure of these email accounts ([email protected]) would suggest these are generated by threat actors and not compromised accounts.
There are several possibilities for monetizing compromised Facebook Business accounts. Researchers from Deep Instinct recently suggested these accounts could be used to set up imitation business pages and scam unsuspecting customers. Another possibility is that threat actors are pushing white-label products at inflated prices using ads paid for by the victim organization.
Indicator |
Note |
impressiondigitals[.]agency |
DUCKTAIL Payloads |
83ecbfdfa31f9934338a0f5b5edfdcfa |
HawkEyes Loader |
42673cf1b1f567fc253faeacd2aa735f |
Malicious Shortcut File |
82d0715fa0f84a7c45d99139cb2426a9 |
|
5feb0735d92802c3230c446a2c27c3b7 |
|
58c258ecab10c0f26d7909d02d00fe87 |
|
e83c4393e80895f1b94f03c5d58c44cf |
|
73b29193268a6f3dabaeed55bbe06ce6 |
|
4371dd1befab05b5b673f69d0b5654f0 |
|
65b40cc7cbe61336ef543cf9659a0691 |
|
bfda65faf863eaddd063d24c17520b28 |
Our industry-renowned Threat Response Unit (TRU) is an elite team of threat hunters and researchers, that supports our 24/7 Security Operations Centers (SOCs), builds detection models across our Atlas XDR Cloud Platform, and works as an extension of your security team to continuously improve our Managed Detection and Response service. TRU has been recognized for its threat hunting, original research and content development capabilities. TRU is strategically organized into cross-functional groups to protect you against advanced and emerging threats, allowing your organization to gain leading threat intelligence and incredible cybersecurity acumen.