eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 2000+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
We provide sophisticated cybersecurity solutions for Managed Security Service Providers (MSSPs), Managed Service Providers (MSPs), and Value-Added Resellers (VARs). Find out why you should partner with eSentire, the Authority in Managed Detection and Response, today.
Adversaries don’t work 9-5 and neither do we. At eSentire, our 24/7 SOCs are staffed with Elite Threat Hunters and Cyber Analysts who hunt, investigate, contain and respond to threats within minutes.
We have discovered some of the most dangerous threats and nation state attacks in our space – including the Kaseya MSP breach and the more_eggs malware.
Our Security Operations Centers are supported with Threat Intelligence, Tactical Threat Response and Advanced Threat Analytics driven by our Threat Response Unit – the TRU team.
In TRU Positives, eSentire’s Threat Response Unit (TRU) provides a summary of a recent threat investigation. We outline how we responded to the confirmed threat and what recommendations we have going forward.
Here’s the latest from our TRU Team…
What did we find?
We identified IcedID malware attempting to load Cobalt Strike within 20 minutes of initial infection.
As noted in the June 2021 TRU Positive, IcedID is a modular banking trojan and precursor to hands-on-intrusions and ransomware attacks.
The incident started with the victim unwittingly mounting and executing the contents of an ISO file delivered through email.
This technique uses a disk image (.iso) containing a shortcut and hidden files. When clicked, the shortcut command uses the regsvr32 lolbin to execute the IcedID payload hidden within the mounted image container.
Once executed, IcedID immediately performs discovery commands to capture the system, domain, and networking information. These are common commands executed by precursor malware and are likely used to prioritize footholds for further intrusion actions.
Less than 20 minutes from initial infection, the host executed remote PowerShell commands to deploy a Cobalt Strike stager.
Figure 1 Endpoint View Showing IcedID Execution, Discovery Commands and Cobalt Strike Execution via PowerShellFigure 2 Timeline of Events from IcedID Infection to Cobalt StrikeFigure 3 Cobalt Strike PowerShell Stager
MDR for Network disrupted and alerted on the IcedID C2 traffic.
What did we do?
Our 24/7 SOC alerted the customer, and the host was contained.
What can you learn from this TRU positive?
Ransomware precursor threats such as IcedID, Emotet and Qakbot must be identified and contained before the host is used as a foothold for further attacks.
Adversaries are streamlining attacks to account for defender reaction times.
In December 2021, Emotet was observed directly deploying Cobalt Strike beacons to expedite intrusion actions. This was a departure from historical observations where malware such as Trickbot was deployed prior to Cobalt Strike.
In this case, the rapid deployment of Cobalt Strike stager suggests that an interactive intrusion was imminent.
Adversaries are using alternative techniques (e.g., .iso containers) to macro-based execution in malicious documents.
This is likely in response to Microsoft’s recent announcement of blocking macros by default in internet-sourced files starting in 2022.
Recommendations from our Threat Response Unit (TRU) Team:
Loader malware attempts to install other malware, so the priority should be to identify and investigate the presence of follow-on malware on systems. In addition, we recommend:
Display file extensions for known file types and consider showing hidden files to users by default.
Conduct Managed Phishing and Security Awareness Training on a regular basis. Warn users about the threat posed by scripts (e.g. JavaScript or VBScript) and image files (.iso) attached or linked in emails.
Employ email filtering and protection measures.
Block or quarantine email attachments such as EXEs, Password Protected ZIPs, JavaScript, Visual Basic scripts.
Implement anti-spoofing measures such as DMARC and SPF.
Employ an MFA solution to reduce impact of compromised credentials.
Train users to identify and report suspicious emails.
Protect endpoints against malware.
Ensure antivirus signatures are up-to-date.
Use a Next-Gen AV (NGAV) or Endpoint Detection and Response (EDR) product to detect and contain threats.
Limit or disable macros across the organization. See UK's National Cyber Centre guidance on Macro Security.
Ask Yourself…
Is your malware identification and remediation process agile enough to disrupt follow-on attacks stemming from loader malware?
What level of visibility do you have across your network, endpoint and overall environment to detect malicious behavior at scale?
What tools are you employing for email filtering and how is that activity monitored?
What level of managed endpoint support do you have in place?
Are you monitoring your endpoints 24/7 and what degree of control do you have to initiate a kill switch when required?
Indicators of Compromise
Value
Description
51[.]89[.]73[.]150
IcedID C2
194[.]15[.]112[.]23
IcedID C2
149[.]3[.]170[.]104
IcedID C2
cooldogblunts[.]com
IcedID C2
reseptors[.]com
IcedID C2
coolbearblunts[.]com
IcedID C2
88[.]119[.]161[.]88
IcedID
934a3c540bb7224f9e0f6229b7dbe00b
IcedID
http://162[.]33[.]179[.]178/pasdphaiusfoifds
PowerShell Download Cradle for Cobalt Strike
0ab07147f62d8daabb591c7b4ccb4187
PowerShell Download Cradle for Cobalt Strike
http://162[.]33[.]179[.]178/asdhodihsa
Cobalt Strike PowerShell Stager
a1702eceb019352298b88b2011bfe8af
Cobalt Strike PowerShell Stager
162[.]33[.]178[.]218
Cobalt Strike
jquerysearchengine[.]com
Cobalt Strike
162[.]33[.]179[.]178
Cobalt Strike
If you’re not currently engaged with a Managed Detection and Response provider, we highly recommend you partner with us for security services in order to disrupt threats before they impact your business.
Want to learn more? Connect with an eSentire Security Specialist.
eSentire Threat Response Unit (TRU)
The eSentire Threat Response Unit (TRU) is an industry-leading threat research team committed to helping your organization become more resilient. TRU is an elite team of threat hunters and researchers that supports our 24/7 Security Operations Centers (SOCs), builds threat detection models across the eSentire XDR Cloud Platform, and works as an extension of your security team to continuously improve our Managed Detection and Response service. By providing complete visibility across your attack surface and performing global threat sweeps and proactive hypothesis-driven threat hunts augmented by original threat research, we are laser-focused on defending your organization against known and unknown threats.
Cookies allow us to deliver the best possible experience for you on our website - by continuing to use our website or by closing this box, you are consenting to our use of cookies. Visit our Privacy Policy to learn more.
