Clop (Cl0p) Ransomware Gang Currently Claims 57 Victims on Leak Site, as Six Clop Gang Members Arrested in Ukraine Today
News broke earlier today that six members of the Clop (CIOp) Ransomware gang were arrested in Kiev, Ukraine and in surrounding towns earlier today by the Cyber Police Department of the National Police of Ukraine, working in cooperation with law enforcement officials from South Korea (the Republic of Korea) and the United States. eSentire’s security research team, the Threat Response Unit (TRU),…
Read More →
eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 1000+ organizations in 70+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
Waterloo, ON and Washington, DC – eSentire, recognized globally as the Authority in Managed Detection and Response (MDR), announced today the launch of its Cyber Investigations Portfolio, complete with Emergency Incident Response, Digital Forensics Investigations and Security Incident Response Planning services. Believing that cyber investigations and incident response stand to benefit more from…
Read More →
Our award-winning partner program offers financial rewards, sales and marketing tools and personalized training. Accelerate your business and grow your revenue by offering our world-class Managed Detection and Response (MDR) services.
TRU Positives: Weekly investigation summaries and recommendations from eSentire’s Threat Response Unit (TRU)
Purple Fox Exploit Kit
3 min read
Adversaries don’t work 9-5 and neither do we. At eSentire, our 24/7 SOCs are staffed with Elite Threat Hunters and Cyber Analysts who hunt, investigate, contain and respond to threats within minutes.
We have discovered some of the most dangerous threats and nation state attacks in our space – including the Kaseya MSP breach and the more_eggs malware.
Our Security Operations Centers are supported with Threat Intelligence, Tactical Threat Response and Advanced Threat Analytics driven by our Threat Response Unit – the TRU team.
In TRU Positives, eSentire’s Threat Response Unit (TRU) provides a summary of a recent threat investigation. We outline how we responded to the confirmed threat and what recommendations we have going forward.
Here’s the latest from our TRU Team…
What did we find?
Drive by exploit attack attempting to deploy malware on a victim’s workstation
TRU team linked the attack to Purple Fox Exploit Kit which exploits known vulnerabilities in Internet Explorer to execute malicious code
Additional exploit payloads are retrieved via data hidden in image files (a technique known as steganography). These payloads are customized to the target based on system configuration.
The attacker’s objective is deployment of rootkits on end user devices.
How did we find it?
Our Machine Learning PowerShell classifier detected obfuscated PowerShell executing as a result of a successful Internet Explorer exploit. eSentire MDR for Endpoint prevented the resulting PowerShell code from executing.
Our 24/7 SOC was alerted and investigated
Attempted execution of malicious PowerShell code resulting from a successful Internet Explorer exploit.
What did we do?
Alerted the customer and isolated the host as we investigated
Confirmed the exploit attempt was blocked successfully and the customer’s workstation was not compromised
Provided remediation recommendations and support
TRU analyzed the attack infrastructure and exploit payloads associated to the Purple Fox threat. Information gleaned was fed back into our processes including adding further detection measures across the Atlas XDR platform to better protect our global customer base from attacks such as this.
The investigation we performed confirmed that the PowerShell code was hidden behind several layers of obfuscation to impede analysis. Our analysts observed the code fetching a remote image in this instance. The image uses a technique known as steganography to embed data or tools within the image without changing its appearance. In this case there are three different colors used in the image and one of the color components was altered to embed the malicious tooling, a level of detail often missed without expert level threat hunting and investigation capabilities.
What can you learn from this TRU positive?
Drive-by-exploit attacks remain a viable attack vector
Vulnerable applications exposed to untrusted code (such as web browsers) are most at risk
These attacks require no interaction from the user, simply visiting a malicious page is enough
Purple Fox uses several techniques to evade detection, impede analysis and customizes its behavior based on the victim’s machine.
Preventing drive-by-exploits requires a layered defense:
Audit your environment and endpoints regularly to ensure endpoints are patched with the latest vendor security updates
Protect endpoints against malware using managed endpoint detection and response support
Rapid identification and containment of successful exploits is necessary to limit impact. Unsuccessful attempts still present an opportunity to shore up defenses.
If you’re not currently engaged with a Managed Detection and Response provider, we highly recommend you partner with us for security services in order to disrupt threats before they impact your business.
Want to learn more? Connect with an eSentire Security Specialist.
eSentire Threat Intel
Threat Intelligence Research Group
Are you experiencing a security incident or have you been breached? Call us now.