Combine cutting-edge XDR technology, multi-signal threat intelligence and 24/7 Elite Threat Hunters to help you build a world-class security operation.
Our team delivers the fastest response time in the industry. Threat suppression within just 4 hours of being engaged.
Cyber risk and advisory programs that identify security gaps and build security strategies to address them.
24/7 SOC-as-a-Service with unlimited threat hunting and incident handling.
XDR with machine learning that eliminates noise, enables real-time detection and response, and automatically blocks threats.
Seamless integration and threat investigation across your existing tech stack.
Proactive threat intelligence, original threat research and a world-class team of seasoned industry veterans.
Extend your team capabilities and prevent business disruption with expertise from eSentire.
We balance automated blocks with rapid human-led investigations to manage threats.
Guard endpoints by isolating and remediating threats to prevent lateral spread.
Defend brute force attacks, active intrusions and unauthorized scans.
Investigation and threat detection across multi-cloud or hybrid environments.
Remediate misconfigurations, vulnerabilities and policy violations.
Investigate and respond to compromised identities and insider threats.
Stop ransomware before it spreads.
Meet regulatory compliance mandates.
Detect and respond to zero-day exploits.
End misconfigurations and policy violations.
Defend third-party and supply chain risk.
Prevent disruption by outsourcing MDR.
Adopt a risk-based security approach.
Meet insurability requirements with MDR.
Protect your most sensitive data.
Build a proven security program.
Operationalize timely, accurate, and actionable cyber threat intelligence.
THE THREAT On October 23rd, Fortinet disclosed an actively exploited critical zero-day vulnerability impacting multiple versions for FortiManager. The vulnerability, tracked…
Oct 09, 2024THE THREAT Beginning in early September 2024, eSentire observed an increase in the number of incidents involving Lumma Stealer malware; this activity has remained common leading into…
eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 2000+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
We provide sophisticated cybersecurity solutions for Managed Security Service Providers (MSSPs), Managed Service Providers (MSPs), and Value-Added Resellers (VARs). Find out why you should partner with eSentire, the Authority in Managed Detection and Response, today.
Multi-Signal MDR with 300+ technology integrations to support your existing investments.
24/7 SOC-as-a-Service with unlimited threat hunting and incident handling.
Three MDR package tiers are available based on per-user pricing and level of risk tolerance.
The latest security advisories, blogs, reports, industry publications and webinars published by TRU.
Compare eSentire to other Managed Detection and Response vendors to see how we stack up against the competition.
See why 2000+ organizations globally have chosen eSentire for their MDR Solution.
Adversaries don’t work 9-5 and neither do we. At eSentire, our 24/7 SOCs are staffed with Elite Threat Hunters and Cyber Analysts who hunt, investigate, contain and respond to threats within minutes.
We have discovered some of the most dangerous threats and nation state attacks in our space – including the Kaseya MSP breach and the more_eggs malware.
Our Security Operations Centers are supported with Threat Intelligence, Tactical Threat Response and Advanced Threat Analytics driven by our Threat Response Unit – the TRU team.
In TRU Positives, eSentire’s Threat Response Unit (TRU) provides a summary of a recent threat investigation. We outline how we responded to the confirmed threat and what recommendations we have going forward.
Here’s the latest from our TRU Team…
In a recent case in June 2023, our Security Operations Center was alerted to suspicious code written to registry in an endpoint in a manufacturing customer’s network. The investigation identified Sorillus RAT, and a phishing page being delivered using HTML smuggled files and links using Google’s Firebase Hosting service.
Google Firebase Hosting is a cloud-based hosting service provided by Google as part of its Firebase platform that allows developers to easily deploy and serve web applications and static websites.
Projects are hosted as a subdomain to either “web.app” or “firebaseapp.com” and are automatically configured with SSL and served using Google’s Content Delivery Network (CDN) edge servers.
These factors make identifying malicious content using metadata such as domain age, reputation or SSL certificate details difficult since they are tied to a generic Google service. A cursory look at Twitter mentions involving “web.app” and the terms “phishing” or “malware” yields around three thousand tweets, primarily from researchers reporting malicious content abusing the platform. These mentions have seen a noted increase since September 2022.
A look at submissions to VirusTotal yields 20,000+ *.web.app subdomains with ten or more security vendors reporting malicious content such as phishing or malware.
Sorillus RAT is a Java-based and cross-platform commercial malware offering various information stealing and remote access capabilities.
In this case, Sorillus was delivered to the victim via an email containing a tax-themed zip file (tax-document.zip). The zip contained an HTML file called “2022tax-extension.html” that smuggled the Java payload Tax-document_PDF.jar (MD5: e93b8dddfc9715f1785ff8f554d538a8).
When clicked, the .jar file is executed by the Java executable (if present on the system) then writes a copy of itself to %AppData%\Roaming\Microsoft\.tmp\ with the extension .tmp and defines a registry run key called “Home” to execute the Java payload when the user logs in.
Examining the decompiled Jar file, we see multiple obfuscated class files:
These contain hints at the program’s RAT-like functionality:
The root folder holds a file titled “checksum” which contains the RAT’s configuration:
Unfortunately, during subsequent analysis the original zip file could not be retrieved due to lack of telemetry. Open-source analysis of similar Sorillus samples using Tax-themed lures around the time yielded several samples (1,2,3) which utilized Firebase Hosting for delivering the zip payloads:
Initially, analysts mistook this RAT as Adwind, an older commercial Java-based RAT with similar capabilities. Sandbox analysis of samples identified network traffic as Adwind, but little else matched previously known samples, particularly the configuration file shown in Figure 6. Certain class files (such as the one shown in Figure 5) and network traffic matched our previous Sorillus observations, leading us to believe this was an updated version of Sorillus.
Sorillus 6.1 was released on January 19, 2023, and added new features including support for loading dynamic configuration settings via Pastebin.
We identified a cracked version 6.1 leaked on Telegram on June 9th, and another uploaded to VirusTotal on May 31st. Examining the latter, we confirmed the configuration file produced by the control panel matches those samples seen in the wild.
The latest version provides several information stealing capabilities, including browser credentials.
It claims to extract credentials from Chromium-based browsers such as Chrome and Edge, which we were able to confirm on the latest Chrome build.
During our investigation, we identified the victim had also opened with and interacted with a phishing kit that heavily relied on Firebase Hosting for its components. The activity occurred just minutes prior to the Sorillus RAT activity but was likely unrelated. The phishing page used an invoice-themed HTM document “invoice.statemtent.htm” delivered to the victim via email (similar files on VirusTotal enjoy extremely low detection rates).
The HTM file contains multiple layers of obfuscation and uses a decoding function ('_0x175d' in Figure _9 below) to rearrange and decode elements of array ‘_0xa2cc’ based on hex characters passed as parameters when the function is invoked.
This appears to dynamically construct new HTML code when the HTM file is opened in the browser, as demonstrated in Figure 10.
Multiple obfuscated JavaScript files are ultimately loaded from vinapsminznusx[.]web[.]app and wispy-dawn-ea24.porschea50[.]workers[.]dev and are used to dynamically render a Microsoft 0365 login page using web content pulled from Microsoft (acctcdn.msftauth.net/images/).
Interestingly, the workers.dev
domain is a domain extension provided by Cloudflare for their Cloudflare Workers platform. Cloudflare Workers is a serverless computing platform that allows developers to run JavaScript code on Cloudflare's network of data centers.
To summarize, this phishing kit uses a local HTM file to pull highly obfuscated JavaScript components from Google and Cloudflare cloud computing services before rendering the phishing page using real brand assets from Microsoft.
An example of this phishing attack can be seen at https://www.joesandbox.com/analysis/887395/0/html#deviceScreen.
Indicator |
Note |
osaomnc[.]web[.]app |
Firebase Hosting Sorillus Zip Payloads |
savuom[.]web[.]app |
|
canmond[.]web[.]app |
|
e93b8dddfc9715f1785ff8f554d538a8 |
Sorillus Java Payload Tax-document_PDF.jar |
185.196.220.62 |
Sorillus C2 |
vinapsminznusx[.]web[.]app |
Hosting various JS components for phishing pages |
wispy-dawn-ea24.porschea50[.]workers[.]dev |
|
5f74bc4dc4ed13805295ae2f249450bb |
“Invoice.Statemtent.htm” phishing HTM files |
eb1974840d85530ce42928edb27a2884 |
|
9251ca090c5b4d7fe7e309b5f8bbd0cf |
|
66a13a6998a62bda15082b09980ca053 |
|
29fc65f116072a072d52dac21d33335f |
|
2e277b66aed7aa20d399f115f4a7a2f8 |
The eSentire Threat Response Unit (TRU) is an industry-leading threat research team committed to helping your organization become more resilient. TRU is an elite team of threat hunters and researchers that supports our 24/7 Security Operations Centers (SOCs), builds threat detection models across the eSentire XDR Cloud Platform, and works as an extension of your security team to continuously improve our Managed Detection and Response service. By providing complete visibility across your attack surface and performing global threat sweeps and proactive hypothesis-driven threat hunts augmented by original threat research, we are laser-focused on defending your organization against known and unknown threats.