Our Threat Response Unit (TRU) publishes security advisories, blogs, reports, industry publications and webinars based on its original research and the insights driven through proactive threat hunts.
eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 2000+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company's mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
We provide sophisticated cybersecurity solutions for Managed Security Service Providers (MSSPs), Managed Service Providers (MSPs), and Value-Added Resellers (VARs). Find out why you should partner with eSentire, the Authority in Managed Detection and Response, today.
Adversaries don’t work 9-5 and neither do we. At eSentire, our 24/7 SOCs are staffed with Elite Threat Hunters and Cyber Analysts who hunt, investigate, contain and respond to threats within minutes.
We have discovered some of the most dangerous threats and nation state attacks in our space – including the Kaseya MSP breach and the more_eggs malware.
Our Security Operations Centers are supported with Threat Intelligence, Tactical Threat Response and Advanced Threat Analytics driven by our Threat Response Unit – the TRU team.
In TRU Positives, eSentire’s Threat Response Unit (TRU) provides a summary of a recent threat investigation. We outline how we responded to the confirmed threat and what recommendations we have going forward.
Here’s the latest from our TRU Team…
What did we find?
In July 2023, we received multiple alerts from BlueSteel, our machine-learning powered PowerShell classifier, on the execution of malicious PowerShell commands. Our Incident Handling Team identified ScreenConnect activity, which created numerous malicious files under the ProgramData
folder.
Figure 1: Malicious files dropped under the ProgramData folder
The ScreenConnect client was downloaded from a compromised Teachflix website (the website hosts educational videos for the classroom).
Upon visiting one of the pages, the user would get an error pop-up instructing them to download and launch the binary “teachflix.exe” to be able to browse through the website.
The error icon and ScreenConnect binary are located under /.well-known directory of the compromised webpage, as shown in Figure 3.
Figure 3: Snipped of the code responsible for serving ScreenConnect binary
The threat actor(s) executed the 02.bat script via the ScreenConnect session. The batch script is responsible for launching the malicious PowerShell command.
Unfortunately, we were not able to retrieve the 02.bat script. We cleaned up the command (Figure 5), and we can see that it retrieves the file “Coinfg.SVG” from the server after the string replacements.
Figure 4: Execution of the 01.bat file via ScreenConnect session
Figure 5: Malicious PowerShell command
The payload was hosted on a Plesk-controlled website and was uploaded to the server on July 12th. After performing an open source search, we were able to identify this as the WSO PHP webshell, which is available on GitHub. Our Threat Response Unit (TRU) discovered over 20 websites impacted, including the ones that were at some point infected with the webshell and delivering ScreenConnect. The binaries were also located at /.well-known
directory.
Based on the naming conventions and infection patterns, we assess with high confidence that the same threat actor is behind Operation PhantomControl.
Figure 6: Coinfg.SVG payload
Figure 7: Example of another infected website
The SVG file is a PowerShell script that performs the following actions:
Process hollowing via the first binary named “NewPE.dll” (RegSvc.exe process) – Figure 9. The binary is obfuscated with ConfuserEx.
Loading and invoking the main payload, which is AsyncRAT (an open-source remote access trojan with numerous capabilities, including remote access, file exfiltration, and keylogging)
Writing the PowerShell file “cgihvzm.ps1” into the ProgramData\ HAZLOPTVICXEAQ folder (please note that the directory name can be different)
Writing VBS file “HAZLOPTVICXEAQ.vbs” and PowerShell file “HAZLOPTVICXEAQ.ps1” into the same mentioned folder above
Creating a scheduled task named “HAZLOPTVICXEAQ” to run the VBS file
Writing the batch file “1.bat” info in the mentioned folder
Running the PowerShell file “cgihvzm.ps1”, “HAZLOPTVICXEAQ.ps1”, and the batch file “1.bat”
Figure 8: Cleaned up a snippet of Coinfg.SVG script
Figure 9: PE responsible for process hollowing
Each file created under ProgramData does:
HAZLOPTVICXEAQ.vbs – responsible for running the 1.bat file
1.bat file – responsible for running “cgihvzm.ps1” file via the command:
TRU also observed two other attempts to retrieve the payload via ScreenConnect session after executing the 01.bat script. One of the payloads was located at 212.11.196[.]183/~sytimes/C0nfig.jpg. However, at the time of this reporting, the host is down.
Another payload was retrieved via the “runing.exe” binary. We were not able to retrieve the binary as it was removed. However, through open-source analysis, we assess with medium confidence that the binary is an AutoHotKey loader that is used to retrieve the secondary payload (in our case, the payload is located at hxxp://moealalah.za[.]com/moealalah.jpg, which is no longer available). We were able to retrieve similar files from VirusTotal:
The threat actor generated the ScreenConnect client using ClickOnceRun option which then, upon user execution, downloads the client from the attacker’s controlled ScreenConnect panel. In the case we observed, the attacker’s ScreenConnect instance was engineer53.screenconnect[.]com. Upon launching the client, the attacker gained full remote control on the victim’s machine.
Figure 10: Downloading ScreenConnect client from attacker's controlled panel
What did we do?
eSentire TRU investigated the threat and confirmed the activity is malicious.
Our team of 24/7 SOC Cyber Analysts isolated affected hosts to contain this incident in accordance with the customer’s business policies.
What can you learn from this TRU Positive?
Attackers used ScreenConnect, delivered via a compromised website, to achieve remote control over the machine and push additional malware such as AsyncRAT.
eSentire TRU was able to identify over 20 websites that were compromised by the same threat actor.
AsyncRAT payloads that belong to the threat actor are communicating on different C2 servers.
Recommendations from our Threat Response Unit (TRU):
Our industry-renowned Threat Response Unit (TRU) is an elite team of threat hunters and researchers, that supports our 24/7 Security Operations Centers (SOCs), builds detection models across our Atlas XDR Cloud Platform, and works as an extension of your security team to continuously improve our Managed Detection and Response service. TRU has been recognized for its threat hunting, original research and content development capabilities. TRU is strategically organized into cross-functional groups to protect you against advanced and emerging threats, allowing your organization to gain leading threat intelligence and incredible cybersecurity acumen.
Cookies allow us to deliver the best possible experience for you on our website - by continuing to use our website or by closing this box, you are consenting to our use of cookies. Visit our Privacy Policy to learn more.
