Adversaries don’t work 9-5 and neither do we. At eSentire, our 24/7 SOCs are staffed with Elite Threat Hunters and Cyber Analysts who hunt, investigate, contain and respond to threats within minutes.
We have discovered some of the most dangerous threats and nation state attacks in our space – including the Kaseya MSP breach and the more_eggs malware.
Our Security Operations Centers are supported with Threat Intelligence, Tactical Threat Response and Advanced Threat Analytics driven by our Threat Response Unit – the TRU team.
In TRU Positives, eSentire’s Threat Response Unit (TRU) provides a summary of a recent threat investigation. We outline how we responded to the confirmed threat and what recommendations we have going forward.
Here’s the latest from our TRU Team…
What did we find?
- Email attack employing malicious Excel document which installs JSSLoader RAT, a Remote Access Trojan
- This tool allows threat actors to retrieve information and remotely control compromised devices
- Devices under control of threat actors can be used as an initial access beachhead to launch follow-on stages of an attack
- JSSLoader is a popular RAT.
- Recent attacks distributed malicious emails linking to a “Letter of Complaint” hosted on a lookalike domain for a spirits and wine business. Viewing the complaint led to a malicious Excel document that initiates JSSLoader.
Website impersonating Brown-Forman Corporation hosted on lookalike domain. Clicking the “Show complaint” button leads to a macro-laced Excel document.
Weaponized Excel document. Enabling macros initiates the JSSLoader malware.
How did we find it?
- JSSLoader was identified through threat-hunting activities
- Our 24/7 SOC was alerted and investigated
What did we do?
- Determined the scope and impact of the activity prior to alerting the customer
- Analyzed payloads, infrastructure and TTPs associated with the attack
- Our eSentire Threat Response Unit (TRU) conducted additional threat hunts based on this information
- Analysts added malicious infrastructure to our Atlas XDR Cloud Platform to disrupt network activity automatically
What can you learn from this TRU positive?
- Well-resourced threat groups are capable of crafting compelling phishing attacks which evade security controls
- Consider how you can operationalize threat intelligence data to identify previously undetected compromise in your environment
- Preventing email-borne malware requires a layered defense:
- Employ email filtering and protection measures:
- Block or quarantine email attachments such as EXEs, Password Protected ZIPs, Javascript, VisualBasic scripts
- Implement anti-spoofing measures such as DMARC and SPF
- Employ a Multi-Factor Authentication solution to reduce impact of compromised credentials
- Train users to identify and report suspicious emails
- Protect endpoints against malware
- Ensure antivirus signatures are up-to-date
- Use a Next-Gen AV (NGAV) or Endpoint Detection and Response (EDR) product to detect and contain threats
- Limit or disable macros across the organization. See UK's National Cyber Centre guidance on Macro Security
- Employ email filtering and protection measures:
If you’re not currently engaged with a Managed Detection and Response provider, we highly recommend you partner with us for security services in order to disrupt threats before they impact your business.
Want to learn more? Connect with an eSentire Security Specialist.
