Combine cutting-edge XDR technology, multi-signal threat intelligence and 24/7 Elite Threat Hunters to help you build a world-class security operation.
Our team delivers the fastest response time in the industry. Threat suppression within just 4 hours of being engaged.
Cyber risk and advisory programs that identify security gaps and build security strategies to address them.
24/7 SOC-as-a-Service with unlimited threat hunting and incident handling.
XDR with machine learning that eliminates noise, enables real-time detection and response, and automatically blocks threats.
Seamless integration and threat investigation across your existing tech stack.
Defend brute force attacks, active intrusions and unauthorized scans.
Guard endpoints by isolating and remediating threats to prevent lateral spread.
Investigation and threat detection across multi-cloud or hybrid environments.
Remediate misconfigurations, vulnerabilities and policy violations.
Investigate and respond to compromised identities and insider threats.
Stop ransomware before it spreads.
Meet regulatory compliance mandates.
Detect and respond to zero-day exploits.
End misconfigurations and policy violations.
Defend third-party and supply chain risk.
Prevent disruption by outsourcing MDR.
Adopt a risk-based security approach.
Meet insurability requirements with MDR.
Protect your most sensitive data.
Build a proven security program.
Operationalize timely, accurate, and actionable cyber threat intelligence.
THE THREATA recently disclosed vulnerability impacting Zimbra mail servers is being actively exploited by attacker(s). On September 27th, Zimbra publicly disclosed CVE-2024-45519, a…
Sep 17, 2024THE THREAT Technical details and Proof-of-Concept (PoC) exploit code for the critical Ivanti Endpoint Manager (EPM) vulnerability CVE-2024-29847 are now publicly available.…
eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 2000+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
We provide sophisticated cybersecurity solutions for Managed Security Service Providers (MSSPs), Managed Service Providers (MSPs), and Value-Added Resellers (VARs). Find out why you should partner with eSentire, the Authority in Managed Detection and Response, today.
Multi-Signal MDR with 300+ technology integrations to support your existing investments.
24/7 SOC-as-a-Service with unlimited threat hunting and incident handling.
Three MDR package tiers are available based on per-user pricing and level of risk tolerance.
The latest security advisories, blogs, reports, industry publications and webinars published by TRU.
Compare eSentire to other Managed Detection and Response vendors to see how we stack up against the competition.
See why 2000+ organizations globally have chosen eSentire for their MDR Solution.
Adversaries don’t work 9-5 and neither do we. At eSentire, our 24/7 SOCs are staffed with Elite Threat Hunters and Cyber Analysts who hunt, investigate, contain and respond to threats within minutes.
We have discovered some of the most dangerous threats and nation state attacks in our space – including the Kaseya MSP breach and the more_eggs malware.
Our Security Operations Centers are supported with Threat Intelligence, Tactical Threat Response and Advanced Threat Analytics driven by our Threat Response Unit – the TRU team.
In TRU Positives, eSentire’s Threat Response Unit (TRU) provides a summary of a recent threat investigation. We outline how we responded to the confirmed threat and what recommendations we have going forward.
Here’s the latest from our TRU Team…
In November 2023, eSentire’s Threat Response Unit observed an incident involving the PhantomControl threat actor(s). Based on the logs, we assess with high confidence that the initial infection vector was a phishing email.
The user was redirected to a malicious website serving ScreenConnect client from receipt-view.blogspot[.]com. Tracing the download source, we stumbled on a compromised website hosting a malicious ScreenConnect client (MD5: 412e11d3ff7659c7d05194cc5e0e1f32) as shown in Figures 1-2.
Upon running the ScreenConnect client, the infected machine established the connection to legal-advocate.screenconnect[.]com, which is the threat actor’s controlled ScreenConnect instance.
The instance domain resolves to 147.75.81[.]214, which was observed to be used previously by PhantomControl threat actor(s).
Approximately 9 minutes after launching ScreenConnect, the threat actor(s) dropped File_Vbs.vbs (MD5: 91570b30470e0375c62972a268fcaee7) file under Documents\ConnectWiseControl\Temp\.
The VBS script contains garbage strings that conceal the malicious code. Upon cleaning up the script, we see a reference to paste[.]ee domain as shown in Figure 3.
The VBS script sends an HTTP GET request to the URL, then it checks if the response status is 200. If the response is 200, it stores the response text in a variable named “response”.
The script then executes the content of the variable using the Execute statement.
The VBS script retrieved from paste[.]ee contained garbled data and reversed strings. After some cleanup, it transformed into the reversed base64-encoded obfuscated PowerShell snippet (Figure 4).
Further deobfuscating the PowerShell script (Figure 5), we can try to break down what the script does:
Upon retrieving the base64-encoded data from the downloaded image Figure 6), we obtain the .NET binary payload, which we dubbed as Ande Loader (MD5: 92fc4d4a1f6cad69ab11484e74815b50) based on the previous method name used in the previous loaders (MD5: 48b6064beec687fc110145cf7a19640d). The Yara rule on Ande Loader can be access here.
We have observed Ande Loader used previously by the Blind Eagle threat actors specifically focused on delivering RATs to Latin American countries.
From Ande Loader, we can see 7 parameters are being passed to the method VAI (Figure 7).
The first parameter contains the link to another paste[.]ee which contains a reversed base64-encoded blob (Figure 8).
The decoded base64-encoded blob is a core payload which we dubbed as SwaetRAT based on the group name/ID (Figure 18). The core payload gets injected into RegAsm.exe via process hollowing (T1055.012), as shown in Figure 9 via Fiber.Class1 class.
The second parameter is null, which means no AntiVM option was enabled. The AntiVM feature would check for processes that contain “vmtoolsd” or “VBoxService” (Figure 10).
The third parameter is “2” which makes the binary check for the presence of the initial VBS payload named “VbsName” under C:\ProgramData folder on the infected machine via switch-case structures.
If the file doesn’t exist, it proceeds with creating a persistence via Startup (T1547.001) with the shortcut file named “LnkName” as shown in Figure 11.
SwaetRAT (MD5: d6d29037517bb1d8202efbf39534df7a) is a 32-bit RAT written in .NET. Like other RATs, SwaetRAT has keylogging capabilities. The logged keystrokes are recorded and saved under %TEMP%/Log.tmp file (Figure 12).
The RAT enters an infinite loop with the pause of 2 seconds for each iteration and looks for mentions of Paypal and Binance in the Log.tmp file and if found, it appends “Banking Found: ” and sends it over to C2 (Figure 13).
Within Info method, the RAT collects system information (Figure 14).
It constructs this string by concatenating several pieces of data, separated by a delimiter defined in Settings.Splitter, which is “<Remote>”.
The information includes:
The UAC Method checks if the current user has administrative privileges. It attempts to create a WindowsPrincipal object for the current user WindowsIdentity.GetCurrent() and then checks if this user is in the role of WindowsBuiltInRole.Administrator.
If the user has administrative privileges, it returns true; otherwise, false.
An example of the traffic for the SwaetRAT is shown in Figure 15.
The ID generation algorithm is as follows:
ReadPacket class (Figure 17) is responsible for command parsing from C2. It receives the data, which is converted to a string and split into parts using a delimiter.
Based on the first element of the array (text), it determines what action to perform. Several commands are handled:
SwaetRAT creates the mutex “qVnqcuDNS5fGFGb”, which is defined under the Settings class in the configuration (Figure 18). If the mutex already exists, the process exits.
A Yara rule on SwaetRAT can be accessed here.
Our team of 24/7 SOC Cyber Analysts isolated the affected host and notified the client of suspicious activities.
Protecting against malware requires a multi-layered defense approach to defend endpoints from malware and detect or block unauthorized login activity against applications and remote access services. Therefore, we recommend:
Name |
Indicator |
Initial website serving as a redirector |
receipt-view.blogspot[.]com |
Compromised URL |
jewelrycleaningmachine[.]com |
ScreenConnect |
412e11d3ff7659c7d05194cc5e0e1f32 |
ScreenConnect URL |
legal-advocate.screenconnect[.]com |
ScreenConnect IP |
147.75.81[.]214 |
File_Vbs.vbs |
91570b30470e0375c62972a268fcaee7 |
Ande Loader |
92fc4d4a1f6cad69ab11484e74815b50 |
SwaetRAT |
d6d29037517bb1d8202efbf39534df7a |
SwaetRAT C2 |
dns-govv[.]ink |
URL hosting SwaetRAT binary |
paste[.]ee/d/k7m1f/0 |
URL hosting Ande Loader |
uploaddeimagens.com[.]br/images/004/666/676/original/vbs.jpg?1700182879 |
The eSentire Threat Response Unit (TRU) is an industry-leading threat research team committed to helping your organization become more resilient. TRU is an elite team of threat hunters and researchers that supports our 24/7 Security Operations Centers (SOCs), builds threat detection models across the eSentire XDR Cloud Platform, and works as an extension of your security team to continuously improve our Managed Detection and Response service. By providing complete visibility across your attack surface and performing global threat sweeps and proactive hypothesis-driven threat hunts augmented by original threat research, we are laser-focused on defending your organization against known and unknown threats.