Combine cutting-edge XDR technology, multi-signal threat intelligence and 24/7 Elite Threat Hunters to help you build a world-class security operation.
Our team delivers the fastest response time in the industry. Threat suppression within just 4 hours of being engaged.
Cyber risk and advisory programs that identify security gaps and build security strategies to address them.
24/7 SOC-as-a-Service with unlimited threat hunting and incident handling.
XDR with machine learning that eliminates noise, enables real-time detection and response, and automatically blocks threats.
Seamless integration and threat investigation across your existing tech stack.
Defend brute force attacks, active intrusions and unauthorized scans.
Guard endpoints by isolating and remediating threats to prevent lateral spread.
Investigation and threat detection across multi-cloud or hybrid environments.
Remediate misconfigurations, vulnerabilities and policy violations.
Investigate and respond to compromised identities and insider threats.
Stop ransomware before it spreads.
Meet regulatory compliance mandates.
Detect and respond to zero-day exploits.
End misconfigurations and policy violations.
Defend third-party and supply chain risk.
Prevent disruption by outsourcing MDR.
Adopt a risk-based security approach.
Meet insurability requirements with MDR.
Protect your most sensitive data.
Build a proven security program.
Operationalize timely, accurate, and actionable cyber threat intelligence.
THE THREATThe critical severity vulnerability CVE-2024-28986 (CVSS: 9.8), identified in SolarWinds' Web Help Desk (WHD) software, is a Remote Code Execution (RCE) flaw resulting from a Java…
Aug 14, 2024THE THREATOn August 12th, Ivanti disclosed a new critical vulnerability impacting Ivanti Virtual Traffic Manager (vTM). The vulnerability, tracked as CVE-2024-7593 (CVSS: 9.8), impacts…
eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 2000+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
We provide sophisticated cybersecurity solutions for Managed Security Service Providers (MSSPs), Managed Service Providers (MSPs), and Value-Added Resellers (VARs). Find out why you should partner with eSentire, the Authority in Managed Detection and Response, today.
Multi-Signal MDR with 300+ technology integrations to support your existing investments.
24/7 SOC-as-a-Service with unlimited threat hunting and incident handling.
Three MDR package tiers are available based on per-user pricing and level of risk tolerance.
The latest security advisories, blogs, reports, industry publications and webinars published by TRU.
Compare eSentire to other Managed Detection and Response vendors to see how we stack up against the competition.
See why 2000+ organizations globally have chosen eSentire for their MDR Solution.
Adversaries don’t work 9-5 and neither do we. At eSentire, our 24/7 SOCs are staffed with Elite Threat Hunters and Cyber Analysts who hunt, investigate, contain and respond to threats within minutes.
We have discovered some of the most dangerous threats and nation state attacks in our space – including the Kaseya MSP breach and the more_eggs malware.
Our Security Operations Centers are supported with Threat Intelligence, Tactical Threat Response and Advanced Threat Analytics driven by our Threat Response Unit – the TRU team.
In TRU Positives, eSentire’s Threat Response Unit (TRU) provides a summary of a recent threat investigation. We outline how we responded to the confirmed threat and what recommendations we have going forward.
Here’s the latest from our TRU Team…
In October 2023, our Threat Response Unit (TRU) observed multiple incidents stemming from a new Nitrogen campaign. You can read more on the previous Nitrogen campaign from one of our articles here. One of these incidents ultimately led to ALPHV/BlackCat Ransomware. In this case, threat actors infiltrated the network, gaining their initial foothold through malicious payloads from a drive-by download.
A drive-by download involves the involuntary installation of malicious software on a user's system without their informed consent. It often occurs when users visit or are redirected to compromised websites, sometimes through mechanisms like deceptive Google Ads. In this case, we assessed that the user was directed to malware on a website posing as legitimate software from a search advertisement. In the second case, the user was deceived when attempting to install WinSCP software.
This article will explore the commands employed by the threat actors during their post-exploitation phase and take a closer look at the payloads involved.
In the first incident, our team traced post-exploitation activity to an unmanaged device with access to the customer’s network. Analysis of available logs pointed to a drive-by download and installation of Nitrogen payloads from a malicious search advertisement.
Fortunately, we were able to identify a matching ISO file uploaded to VirusTotal (MD5: 06345b04244b629f9632009cafa23fc1). Our analysis of the initial infection stage draws from this file, which was corroborated with behaviors we observed from our security telemetry from this incident and others.
The ISO image contains multiple files, as shown in Figure 1.
The “support’ folder contains multiple garbage files. We will focus on the following files:
setup.exe is the Windows Installer executable (msiexec.exe). When executed, it loads the msi.dll file modified by the threat actor(s). The msi.dll makes use of the custom import “nop” to load foo.dll with exported function name “nop” (Figure 2).
foo.dll is responsible for decrypting the “data” file with the AES algorithm. The key and IV are hardcoded in obfuscated form in the binary. Like in the previous campaign, some strings are obfuscated using a simple Ceasar Cipher algorithm, where each character is shifted up by a specific number of places (e.g., 5), as shown in Figure 3.
Upon decrypting the “data” file, we obtain a ZIP archive, as shown in Figure 4, where custom_installer.exe (MD5: 55144c356dbfaf88190c054011db812e) is another malicious payload and Advanced_IP_Scanner.exe (MD5: 5537c708edb9a2c21f88e34e8a0f1744) is a legitimate decoy of Advanced IP Scanner installer.
custom_installer.exe payload is responsible for decrypting another ZIP archive that contains additional payloads to be placed across multiple folders, as well as establishing a persistence mechanism via scheduled tasks. The folders containing malicious payloads are shown in Figure 5. The files in the Notepad folder in this particular sample only contain legitimate Python dependencies and are not included in the screenshot for clarity purposes.
In the previous campaign, Nitrogen set the scheduled tasks to point to pythonw.exe in order to side-load the malicious DLL. The latest campaign, in contrast, creates two scheduled tasks that execute the commands shown in Figure 6.
The scheduled task names (OneDrive Security Task-S-1-5-21-5678566754-9123742832-2638705499-2003) remain the same as in the previous campaign. The file update.exe (MD5: e5da170027542e25ede42fc54c929077) is a legitimate msiexec.exe executable (Windows Installer) that has been renamed. When the command is executed, the payload spawns under the processes spoolsv.exe and dllhost.exe within the directories “C:\Users\<username>\AppData\Local\OneDrive\” and “C:\Users\<username>\AppData\Local\Security\” respectively.
Upon further analysis of the binary, we discovered that the base64-encoded string contains a nonce, an encrypted key, and a list of text strings encrypted using the ChaCha stream cipher. The decrypted strings are the following:
The ‘msi.dll” files are side-loaded during the scheduled task execution and contain the custom imports to additionally load zen.dll (MD5: 6557a11aac33c4e6e10eeea252157f3e) and fid.dll (MD5: 1f04ca6ffef0b737204f3534ff73575e) files shown in Figure 5. These, in turn, access the base64-encoded command-line argument, decrypt it, and use the decrypted strings as configuration parameters.
The payloads zen.dll and fid.dll use the transacted hollowing technique as shown in Figure 7 (transacted hollowing is a technique that combines elements of both Process Hollowing and Process Doppelgänging) that involves Windows Native API functions, such as NtCreateTransaction and RtlSetCurrentTransaction to create and open the transacted file, CreateProcessInternalW to create the spoolsv.exe and dllhost.exe processes in a suspended state, and perform process injection by unmapping the process memory and replacing it with pythonw.exe binary.
When pythonw.exe is executed from the specified directories, it side-loads the malicious python311.dll files. These files contain embedded and obfuscated C2 addresses (see Indicators of Compromise table), which are used for persistent C2 communication.
In the recent Nitrogen campaign, besides introducing transacted hollowing, the threat actor(s) returned with an array of enhanced capabilities. These include bypassing the Antimalware Scan Interface (AMSI), bypasses for Event Tracing for Windows (ETW) and Windows Lockdown Policy (WLDP), antivirus evasion by using AntiHook (used to evade userland hooking techniques employed by antivirus software) as well as utilizing the KrakenMask sleep obfuscation tool to mask return addresses within AMSI bypass, ETW, WLDP patching and AntiHook function, and encrypt the .text section contents. For the sake of brevity, we won't delve into the technical intricacies of these functions in this article.
In one of the recent Nitrogen samples, the slv.py (MD5: 88423cf8154ccc3278abea0e97446003) file is dropped under C:\Users\<username>\AppData\Local\Notepad folder.
slv.py contains the Python code that decodes a base64 string, deserializes the resultant bytes using the marshal module, and then executes the resulting obfuscated Python code. We believe that the threat actor(s) adopted the obfuscation technique from this obfuscation tool.
Figure 7 shows the disassembled Python bytecode. The bytecode is responsible for decrypting data.aes (MD5: d36269ac785f6b0588fbd7bfd1b50a57) using AES. The decrypted DLL is a Sliver payload (MD5: a9e5c83f7d96144fa31126ef0a7a9e2f) that connects to the C2 server at 194.180.48[.]149:8443. Previously, Nitrogen threat actors used Pyramid C2 Framework for post-exploitation.
Upon establishing the initial foothold, threat actors moved laterally to other hosts in the environment and dropped multiple obfuscated Python scripts similar to slv.py:
wo9.py, wo10.py, and wo4.py contain the AES-encrypted and embedded Cobalt Strike payloads. Using the Cobalt Strike configuration parser from SentinelOne, we can extract the Cobalt Strike configuration (see Indicators of Compromise table).
updateegge.py is similar to slv.py and decrypts dotae.aes (MD5: 4722f13c22abaa6045c544ee7dde3e5a) to the Sliver payload (MD5: 9f1c9b28eaf00b9aec180179255d87c0) that connects to 185.216.70[.]236:8443.
Further on, threat actors utilized PsExec, and WMIC for lateral movement and running Restic (backup program) to exfiltrate data:
The threat actors also enabled Administrator and multiple other accounts with the password “GoodLuck!”:
One of the dropped batch files contained the command to map the C$ administrative share of a machine to the local drive letter N:, using the Administrator account with the password “GoodLuck!”, the command to copy ALPHV ransomware binaries (safe.exe) from the N: drive to the C: drive:
Another batch file named UpdateEGGE.bat contained the command to run the wo4.py file via pythonw.exe:
We also observed the threat actors renaming pythonw.exe to itw.exe and ServiceUpdate.exe.
In another incident involving a Nitrogen infection, our 24/7 SOC Cyber Analysts conducted an investigation to trace the origin of the malicious file (Figure 9). They found that the affected user fell victim to a drive-by download while using a search platform, inadvertently downloading the malicious file.
Threat actors used Punycode to make the domain look trustworthy. Punycode is a method used to encode Unicode characters into ASCII, mainly for internationalized domain names (IDNs) that contain non-ASCII characters. This allows domains to have characters from various languages. Threat actors can exploit Punycode to conduct what's known as an IDN homograph attack.
The following reconnaissance commands were executed to gather information about the network and users:
Based on the overlap in Tactics, Techniques, and Procedures (TTPs), we assess the primary objective was likely ransomware deployment, similar to the previously mentioned case. The threat actor(s) made attempts to manually execute the slv.py (Sliver payload) within the PowerShell command line.
Our Threat Response Unit (TRU) is a world-class team of threat researchers who develop new detections enriched by original threat intelligence and leverage new machine learning models that correlate multi-signal data and automate rapid response to advanced threats.
If you are not currently engaged with an MDR provider, eSentire MDR can help you reclaim the advantage and put your business ahead of disruption.
Learn what it means to have an elite team of Threat Hunters and Researchers that works for you. Connect with an eSentire Security Specialist.
BeaconType - HTTPS Port - 443 SleepTime - 16500 MaxGetSize - 13982519 Jitter - 22 MaxDNS - Not Found PublicKey_MD5 - 2cd4a66e04a7ebd4dac05143f656f916 C2Server - walfat.com,/broadcast UserAgent - Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 HttpPostUri - /1/events/com.amazon.csm.csa.prod Malleable_C2_Instructions - Remove 1308 bytes from the end Remove 1 bytes from the end Remove 194 bytes from the beginning Base64 decode HttpGet_Metadata - ConstHeaders Accept: application/json, text/plain, */* Accept-Language: en-US,en;q=0.5 Origin: <a href="https://www.amazon.com">https://www.amazon.com</a> Referer: <a href="https://www.amazon.com">https://www.amazon.com</a> Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: cross-site Te: trailers Metadata base64 header "x-amzn-RequestId" HttpPost_Metadata - ConstHeaders Accept: */* Origin: <a href="https://www.amazon.com">https://www.amazon.com</a> SessionId base64url header "x-amz-rid" Output base64url prepend "{"events":[{"data":{"schemaId":"csa.VideoInteractions.1","application":"Retail:Prod:,"requestId":"MBFV82TTQV2JNBKJJ50B","title":"Amazon.com. Spend less. Smile more.","subPageType":"desktop","session":{"id":"133-9905055-2677266"},"video":{"id":"" append "" " append ""playerMode":"INLINE","videoRequestId":"MBFV82TTQV2JNBKJJ50B","isAudioOn":"false","player":"IVS","event":"NONE"}}}}]}" print PipeName - Not Found DNS_Idle - Not Found DNS_Sleep - Not Found SSH_Host - Not Found SSH_Port - Not Found SSH_Username - Not Found SSH_Password_Plaintext - Not Found SSH_Password_Pubkey - Not Found SSH_Banner - HttpGet_Verb - GET HttpPost_Verb - POST HttpPostChunk - 0 Spawnto_x86 - %windir%\syswow64\gpupdate.exe Spawnto_x64 - %windir%\sysnative\gpupdate.exe CryptoScheme - 0 Proxy_Config - Not Found Proxy_User - Not Found Proxy_Password - Not Found Proxy_Behavior - Use IE settings Watermark_Hash - 3Hh1YX4vT3i5C7L2sn7K4Q== Watermark - 587247372 bStageCleanup - True bCFGCaution - True KillDate - 0 bProcInject_StartRWX - True bProcInject_UseRWX - False bProcInject_MinAllocSize - 16700 ProcInject_PrependAppend_x86 - b'\x90\x90\x90' Empty ProcInject_PrependAppend_x64 - b'\x90\x90\x90' Empty ProcInject_Execute - ntdll.dll:RtlUserThreadStart SetThreadContext NtQueueApcThread-s kernel32.dll:LoadLibraryA CreateRemoteThread RtlCreateUserThread ProcInject_AllocationMethod - NtMapViewOfSection bUsesCookies - False HostHeader - headersToRemove - Not Found DNS_Beaconing - Not Found DNS_get_TypeA - Not Found DNS_get_TypeAAAA - Not Found DNS_get_TypeTXT - Not Found DNS_put_metadata - Not Found DNS_put_output - Not Found DNS_resolver - Not Found DNS_strategy - round-robin DNS_strategy_rotate_seconds - -1 DNS_strategy_fail_x - -1 DNS_strategy_fail_seconds - -1 Retry_Max_Attempts - 0 Retry_Increase_Attempts - 0 Retry_Duration - 0 wo10.py (Cobalt Strike Configuration) BeaconType - HTTPS Port - 443 SleepTime - 38500 MaxGetSize - 13982519 Jitter - 27 MaxDNS - Not Found PublicKey_MD5 - 0c8df700d0c4fe42874842c307f4f62d C2Server - 194.180.48[.]169,/broadcast UserAgent - Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 HttpPostUri - /1/events/com.amazon.csm.csa.prod Malleable_C2_Instructions - Remove 1308 bytes from the end Remove 1 bytes from the end Remove 194 bytes from the beginning Base64 decode HttpGet_Metadata - ConstHeaders Accept: application/json, text/plain, */* Accept-Language: en-US,en;q=0.5 Origin: <a href="https://www.amazon.com">https://www.amazon.com</a> Referer: <a href="https://www.amazon.com">https://www.amazon.com</a> Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: cross-site Te: trailers Metadata base64 header "x-amzn-RequestId" HttpPost_Metadata - ConstHeaders Accept: */* Origin: <a href="https://www.amazon.com">https://www.amazon.com</a> SessionId base64url header "x-amz-rid" Output base64url prepend "{"events":[{"data":{"schemaId":"csa.VideoInteractions.1","application":"Retail:Prod:,"requestId":"MBFV82TTQV2JNBKJJ50B","title":"Amazon.com. Spend less. Smile more.","subPageType":"desktop","session":{"id":"133-9905055-2677266"},"video":{"id":"" append "" " append ""playerMode":"INLINE","videoRequestId":"MBFV82TTQV2JNBKJJ50B","isAudioOn":"false","player":"IVS","event":"NONE"}}}}]}" print PipeName - Not Found DNS_Idle - Not Found DNS_Sleep - Not Found SSH_Host - Not Found SSH_Port - Not Found SSH_Username - Not Found SSH_Password_Plaintext - Not Found SSH_Password_Pubkey - Not Found SSH_Banner - HttpGet_Verb - GET HttpPost_Verb - POST HttpPostChunk - 0 Spawnto_x86 - %windir%\syswow64\gpupdate.exe Spawnto_x64 - %windir%\sysnative\gpupdate.exe CryptoScheme - 0 Proxy_Config - Not Found Proxy_User - Not Found Proxy_Password - Not Found Proxy_Behavior - Use IE settings Watermark_Hash - 3Hh1YX4vT3i5C7L2sn7K4Q== Watermark - 587247372 bStageCleanup - True bCFGCaution - True KillDate - 0 bProcInject_StartRWX - True bProcInject_UseRWX - False bProcInject_MinAllocSize - 16700 ProcInject_PrependAppend_x86 - b'\x90\x90\x90' Empty ProcInject_PrependAppend_x64 - b'\x90\x90\x90' Empty ProcInject_Execute - ntdll.dll:RtlUserThreadStart SetThreadContext NtQueueApcThread-s kernel32.dll:LoadLibraryA CreateRemoteThread RtlCreateUserThread ProcInject_AllocationMethod - NtMapViewOfSection bUsesCookies - False HostHeader - headersToRemove - Not Found DNS_Beaconing - Not Found DNS_get_TypeA - Not Found DNS_get_TypeAAAA - Not Found DNS_get_TypeTXT - Not Found DNS_put_metadata - Not Found DNS_put_output - Not Found DNS_resolver - Not Found DNS_strategy - round-robin DNS_strategy_rotate_seconds - -1 DNS_strategy_fail_x - -1 DNS_strategy_fail_seconds - -1 Retry_Max_Attempts - 0 Retry_Increase_Attempts - 0 Retry_Duration - 0 wo4.py (Cobalt Strike Configuration) BeaconType - HTTPS Port - 443 SleepTime - 38500 MaxGetSize - 13982519 Jitter - 27 MaxDNS - Not Found PublicKey_MD5 - 29258dbeb61aecb59f8facf9a0d0e30d C2Server - 194.169.175[.]132,/broadcast UserAgent - Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 HttpPostUri - /1/events/com.amazon.csm.csa.prod Malleable_C2_Instructions - Remove 1308 bytes from the end Remove 1 bytes from the end Remove 194 bytes from the beginning Base64 decode HttpGet_Metadata - ConstHeaders Accept: application/json, text/plain, */* Accept-Language: en-US,en;q=0.5 Origin: <a href="https://www.amazon.com">https://www.amazon.com</a> Referer: <a href="https://www.amazon.com">https://www.amazon.com</a> Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: cross-site Te: trailers Metadata base64 header "x-amzn-RequestId" HttpPost_Metadata - ConstHeaders Accept: */* Origin: <a href="https://www.amazon.com">https://www.amazon.com</a> SessionId base64url header "x-amz-rid" Output base64url prepend "{"events":[{"data":{"schemaId":"csa.VideoInteractions.1","application":"Retail:Prod:,"requestId":"MBFV82TTQV2JNBKJJ50B","title":"Amazon.com. Spend less. Smile more.","subPageType":"desktop","session":{"id":"133-9905055-2677266"},"video":{"id":"" append "" " append ""playerMode":"INLINE","videoRequestId":"MBFV82TTQV2JNBKJJ50B","isAudioOn":"false","player":"IVS","event":"NONE"}}}}]}" print PipeName - Not Found DNS_Idle - Not Found DNS_Sleep - Not Found SSH_Host - Not Found SSH_Port - Not Found SSH_Username - Not Found SSH_Password_Plaintext - Not Found SSH_Password_Pubkey - Not Found SSH_Banner - HttpGet_Verb - GET HttpPost_Verb - POST HttpPostChunk - 0 Spawnto_x86 - %windir%\syswow64\gpupdate.exe Spawnto_x64 - %windir%\sysnative\gpupdate.exe CryptoScheme - 0 Proxy_Config - Not Found Proxy_User - Not Found Proxy_Password - Not Found Proxy_Behavior - Use IE settings Watermark_Hash - 3Hh1YX4vT3i5C7L2sn7K4Q== Watermark - 587247372 bStageCleanup - True bCFGCaution - True KillDate - 0 bProcInject_StartRWX - True bProcInject_UseRWX - False bProcInject_MinAllocSize - 16700 ProcInject_PrependAppend_x86 - b'\x90\x90\x90' Empty ProcInject_PrependAppend_x64 - b'\x90\x90\x90' Empty ProcInject_Execute - ntdll.dll:RtlUserThreadStart SetThreadContext NtQueueApcThread-s kernel32.dll:LoadLibraryA CreateRemoteThread RtlCreateUserThread ProcInject_AllocationMethod - NtMapViewOfSection bUsesCookies - False HostHeader - headersToRemove - Not Found DNS_Beaconing - Not Found DNS_get_TypeA - Not Found DNS_get_TypeAAAA - Not Found DNS_get_TypeTXT - Not Found DNS_put_metadata - Not Found DNS_put_output - Not Found DNS_resolver - Not Found DNS_strategy - round-robin DNS_strategy_rotate_seconds - -1 DNS_strategy_fail_x - -1 DNS_strategy_fail_seconds - -1 Retry_Max_Attempts - 0 Retry_Increase_Attempts - 0 Retry_Duration - 0
Name | Indicators |
Initial Nitrogen ISO file | 06345b04244b629f9632009cafa23fc1 |
data | a2b4adedd0f1d24e33d82abebfe976c8 |
foo.dll | 9aedc564960e5dddeb6524b39d5c2956 |
msi.dll | 8342db04a12dd141b23a20fd393bb9f2 |
custom_installer.exe | 55144c356dbfaf88190c054011db812e |
update.exe | e5da170027542e25ede42fc54c929077 |
zen.dll | 6557a11aac33c4e6e10eeea252157f3e |
fid.dll | 1f04ca6ffef0b737204f3534ff73575e |
slv.py | 88423cf8154ccc3278abea0e97446003 |
data.aes | d36269ac785f6b0588fbd7bfd1b50a57 |
wo9.py | 45d8598ff20254c157330dbdf5a8110b |
wo10.py | 0200a95373be2a1851db27c96704fc11 |
wo4.py | 5462b15734ef87764ef901ad0e20c353 |
updateegge.py | 300ca3391a413faf0e5491898715365f |
dotae.aes | 4722f13c22abaa6045c544ee7dde3e5a |
Sliver payload | 9f1c9b28eaf00b9aec180179255d87c0 |
Nitrogen C2 | 185.216.70[.]236:8443 |
Nitrogen C2 | 185.216.70[.]236:8443 |
Nitrogen C2 | 194.180.48[.]149:8443 |
Nitrogen C2 | tcp://171.22.28[.]245:15159/ |
Nitrogen C2 | tcp://171.22.28[.]245:41337 |
Nitrogen C2 | 194.180.48[.]18:10443/ |
Nitrogen C2 | tcpssl://171.22.28[.]245:20407/ |
Nitrogen C2 | 171.22.28[.]245:10443 |
Cobalt Strike C2 | 194.169.175[.]132 |
Cobalt Strike C2 | 194.180.48[.]169 |
Cobalt Strike C2 | walfat[.]com |
Cobalt Strike C2 | 193.42.33[.]29 |
Potential Brute Ratel C2 (observed in one of the campaigns) | 185.216.71[.]108 |
ALPHV binary | 50da58b837bb80f840891cf5c212902b9431349c3b2e2707f1e0f9df226fa512 |
ALPHV binary | 44d3065d4c5c1a2a448de07ffe256a8e73795770c9462d8d27f659671f8455d2 |
PsExec | 9d00158489f0a399fc0bc3ce1e8fc309d29a327f6ea0097e34e0f49b72a85079 |
Website hosting fake WinSCP installer | hxxp://xn—wnscp-tsa.net |
The eSentire Threat Response Unit (TRU) is an industry-leading threat research team committed to helping your organization become more resilient. TRU is an elite team of threat hunters and researchers that supports our 24/7 Security Operations Centers (SOCs), builds threat detection models across the eSentire XDR Cloud Platform, and works as an extension of your security team to continuously improve our Managed Detection and Response service. By providing complete visibility across your attack surface and performing global threat sweeps and proactive hypothesis-driven threat hunts augmented by original threat research, we are laser-focused on defending your organization against known and unknown threats.