Cyber risk and advisory programs that identify security gaps and build strategies to address them.
MDR that provides improved detection, 24/7 threat hunting, end-to-end coverage and most of all, complete Response.
Our team delivers the fastest response time in the industry. Threat suppression within just 4 hours of being engaged.
Visibility and response across your entire Microsoft security ecosystem.
XDR with Machine Learning that eliminates noise, enables real-time detection and response, and automatically blocks threats.
Be protected by the best from Day 1.
24/7 Threat Investigation and Response.
Expert threat hunting, original research, and proactive threat intelligence.
TRU is foundational to our MDR service. No add-ons or additional costs required.
Stop ransomware attacks before they disrupt your business.
Detect and respond to zero-day exploits.
Protect against third-party and supply chain risk.
Adopt a risk-based approach to cybersecurity.
Protect your most sensitive data.
Meet cybersecurity regulatory compliance mandates.
Eliminate misconfigurations and policy violations.
Prevent business disruption by outsourcing MDR.
Defend brute force attacks, active intrusions and unauthorized scans.
Safeguard endpoints 24/7 by isolating and mediating threats to prevent lateral spread.
Enhance investigation and threat detection across multi-cloud or hybrid environments.
Remediate critical misconfigurations, security vulnerabilities and policy violations across cloud and containerized environments.
Detect malicious insider and identity-based behavior leveraging machine learning models.
Our Threat Response Unit (TRU) publishes security advisories, blogs, reports, industry publications and webinars based on its original research and the insights driven through proactive threat hunts.
eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 2000+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company's mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
We provide sophisticated cybersecurity solutions for Managed Security Service Providers (MSSPs), Managed Service Providers (MSPs), and Value-Added Resellers (VARs). Find out why you should partner with eSentire, the Authority in Managed Detection and Response, today.
We believe a multi-signal approach is paramount to protecting your complete attack surface. See why eSentire MDR means multi-signal telemetry and complete response.
See how our 24/7 SOC Cyber Analysts and Elite Threat Hunters stop even the most advanced cyberattacks before they disrupt your business.
Choose the right mix of Managed Detection and Response, Exposure Management, and Incident Response services to strengthen your cyber resilience.
Try our interactive tools including the MITRE ATT&CK Tool, the SOC Pricing Calculator, the Cybersecurity Maturity Assessment, and our MDR ROI Calculator.
Read the latest security advisories, blogs, reports, industry publications and webinars published by eSentire's Threat Response Unit (TRU).
See why 2000+ organizations count on eSentire to build resilience and prevent business disruption.
Adversaries don’t work 9-5 and neither do we. At eSentire, our 24/7 SOCs are staffed with Elite Threat Hunters and Cyber Analysts who hunt, investigate, contain and respond to threats within minutes.
We have discovered some of the most dangerous threats and nation state attacks in our space – including the Kaseya MSP breach and the more_eggs malware.
Our Security Operations Centers are supported with Threat Intelligence, Tactical Threat Response and Advanced Threat Analytics driven by our Threat Response Unit – the TRU team.
In TRU Positives, eSentire’s Threat Response Unit (TRU) provides a summary of a recent threat investigation. We outline how we responded to the confirmed threat and what recommendations we have going forward.
Here’s the latest from our TRU Team…
In a recent case in June 2023, our Security Operations Center was alerted to suspicious code written to registry in an endpoint in a manufacturing customer’s network. The investigation identified Sorillus RAT, and a phishing page being delivered using HTML smuggled files and links using Google’s Firebase Hosting service.
Google Firebase Hosting is a cloud-based hosting service provided by Google as part of its Firebase platform that allows developers to easily deploy and serve web applications and static websites.
Projects are hosted as a subdomain to either “web.app” or “firebaseapp.com” and are automatically configured with SSL and served using Google’s Content Delivery Network (CDN) edge servers.
These factors make identifying malicious content using metadata such as domain age, reputation or SSL certificate details difficult since they are tied to a generic Google service. A cursory look at Twitter mentions involving “web.app” and the terms “phishing” or “malware” yields around three thousand tweets, primarily from researchers reporting malicious content abusing the platform. These mentions have seen a noted increase since September 2022.
A look at submissions to VirusTotal yields 20,000+ *.web.app subdomains with ten or more security vendors reporting malicious content such as phishing or malware.
Sorillus RAT is a Java-based and cross-platform commercial malware offering various information stealing and remote access capabilities.
In this case, Sorillus was delivered to the victim via an email containing a tax-themed zip file (tax-document.zip). The zip contained an HTML file called “2022tax-extension.html” that smuggled the Java payload Tax-document_PDF.jar (MD5: e93b8dddfc9715f1785ff8f554d538a8).
When clicked, the .jar file is executed by the Java executable (if present on the system) then writes a copy of itself to %AppData%\Roaming\Microsoft\.tmp\ with the extension .tmp and defines a registry run key called “Home” to execute the Java payload when the user logs in.
Examining the decompiled Jar file, we see multiple obfuscated class files:
These contain hints at the program’s RAT-like functionality:
The root folder holds a file titled “checksum” which contains the RAT’s configuration:
Unfortunately, during subsequent analysis the original zip file could not be retrieved due to lack of telemetry. Open-source analysis of similar Sorillus samples using Tax-themed lures around the time yielded several samples (1,2,3) which utilized Firebase Hosting for delivering the zip payloads:
Initially, analysts mistook this RAT as Adwind, an older commercial Java-based RAT with similar capabilities. Sandbox analysis of samples identified network traffic as Adwind, but little else matched previously known samples, particularly the configuration file shown in Figure 6. Certain class files (such as the one shown in Figure 5) and network traffic matched our previous Sorillus observations, leading us to believe this was an updated version of Sorillus.
Sorillus 6.1 was released on January 19, 2023, and added new features including support for loading dynamic configuration settings via Pastebin.
We identified a cracked version 6.1 leaked on Telegram on June 9th, and another uploaded to VirusTotal on May 31st. Examining the latter, we confirmed the configuration file produced by the control panel matches those samples seen in the wild.
The latest version provides several information stealing capabilities, including browser credentials.
It claims to extract credentials from Chromium-based browsers such as Chrome and Edge, which we were able to confirm on the latest Chrome build.
During our investigation, we identified the victim had also opened with and interacted with a phishing kit that heavily relied on Firebase Hosting for its components. The activity occurred just minutes prior to the Sorillus RAT activity but was likely unrelated. The phishing page used an invoice-themed HTM document “invoice.statemtent.htm” delivered to the victim via email (similar files on VirusTotal enjoy extremely low detection rates).
The HTM file contains multiple layers of obfuscation and uses a decoding function ('_0x175d' in Figure _9 below) to rearrange and decode elements of array ‘_0xa2cc’ based on hex characters passed as parameters when the function is invoked.
This appears to dynamically construct new HTML code when the HTM file is opened in the browser, as demonstrated in Figure 10.
Multiple obfuscated JavaScript files are ultimately loaded from vinapsminznusx[.]web[.]app and wispy-dawn-ea24.porschea50[.]workers[.]dev and are used to dynamically render a Microsoft 0365 login page using web content pulled from Microsoft (acctcdn.msftauth.net/images/).
Interestingly, the workers.dev
domain is a domain extension provided by Cloudflare for their Cloudflare Workers platform. Cloudflare Workers is a serverless computing platform that allows developers to run JavaScript code on Cloudflare's network of data centers.
To summarize, this phishing kit uses a local HTM file to pull highly obfuscated JavaScript components from Google and Cloudflare cloud computing services before rendering the phishing page using real brand assets from Microsoft.
An example of this phishing attack can be seen at https://www.joesandbox.com/analysis/887395/0/html#deviceScreen.
Indicator |
Note |
osaomnc[.]web[.]app |
Firebase Hosting Sorillus Zip Payloads |
savuom[.]web[.]app |
|
canmond[.]web[.]app |
|
e93b8dddfc9715f1785ff8f554d538a8 |
Sorillus Java Payload Tax-document_PDF.jar |
185.196.220.62 |
Sorillus C2 |
vinapsminznusx[.]web[.]app |
Hosting various JS components for phishing pages |
wispy-dawn-ea24.porschea50[.]workers[.]dev |
|
5f74bc4dc4ed13805295ae2f249450bb |
“Invoice.Statemtent.htm” phishing HTM files |
eb1974840d85530ce42928edb27a2884 |
|
9251ca090c5b4d7fe7e309b5f8bbd0cf |
|
66a13a6998a62bda15082b09980ca053 |
|
29fc65f116072a072d52dac21d33335f |
|
2e277b66aed7aa20d399f115f4a7a2f8 |
Our industry-renowned Threat Response Unit (TRU) is an elite team of threat hunters and researchers, that supports our 24/7 Security Operations Centers (SOCs), builds detection models across our Atlas XDR Cloud Platform, and works as an extension of your security team to continuously improve our Managed Detection and Response service. TRU has been recognized for its threat hunting, original research and content development capabilities. TRU is strategically organized into cross-functional groups to protect you against advanced and emerging threats, allowing your organization to gain leading threat intelligence and incredible cybersecurity acumen.