Cyber risk and advisory programs that identify security gaps and build strategies to address them.
MDR that provides improved detection, 24/7 threat hunting, end-to-end coverage and most of all, complete Response.
Our team delivers the fastest response time in the industry. Threat suppression within just 4 hours of being engaged.
Visibility and response across your entire Microsoft security ecosystem.
XDR with Machine Learning that eliminates noise, enables real-time detection and response, and automatically blocks threats.
Be protected by the best from Day 1.
24/7 Threat Investigation and Response.
Expert threat hunting, original research, and proactive threat intelligence.
TRU is foundational to our MDR service. No add-ons or additional costs required.
Stop ransomware attacks before they disrupt your business.
Detect and respond to zero-day exploits.
Protect against third-party and supply chain risk.
Adopt a risk-based approach to cybersecurity.
Protect your most sensitive data.
Meet cybersecurity regulatory compliance mandates.
Eliminate misconfigurations and policy violations.
Prevent business disruption by outsourcing MDR.
Defend brute force attacks, active intrusions and unauthorized scans.
Safeguard endpoints 24/7 by isolating and mediating threats to prevent lateral spread.
Enhance investigation and threat detection across multi-cloud or hybrid environments.
Remediate critical misconfigurations, security vulnerabilities and policy violations across cloud and containerized environments.
Detect malicious insider and identity-based behavior leveraging machine learning models.
Our Threat Response Unit (TRU) publishes security advisories, blogs, reports, industry publications and webinars based on its original research and the insights driven through proactive threat hunts.
eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 2000+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company's mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
We provide sophisticated cybersecurity solutions for Managed Security Service Providers (MSSPs), Managed Service Providers (MSPs), and Value-Added Resellers (VARs). Find out why you should partner with eSentire, the Authority in Managed Detection and Response, today.
We believe a multi-signal approach is paramount to protecting your complete attack surface. See why eSentire MDR means multi-signal telemetry and complete response.
See how our 24/7 SOC Cyber Analysts and Elite Threat Hunters stop even the most advanced cyberattacks before they disrupt your business.
Choose the right mix of Managed Detection and Response, Exposure Management, and Incident Response services to strengthen your cyber resilience.
Try our interactive tools including the MITRE ATT&CK Tool, the SOC Pricing Calculator, the Cybersecurity Maturity Assessment, and our MDR ROI Calculator.
Read the latest security advisories, blogs, reports, industry publications and webinars published by eSentire's Threat Response Unit (TRU).
See why 2000+ organizations count on eSentire to build resilience and prevent business disruption.
TRU Positives: Weekly investigation summaries and recommendations from eSentire's Threat Response Unit (TRU)
BY eSentire Threat Response Unit (TRU)
May 4, 2023 | 9 MINS READ
Adversaries don’t work 9-5 and neither do we. At eSentire, our 24/7 SOCs are staffed with Elite Threat Hunters and Cyber Analysts who hunt, investigate, contain and respond to threats within minutes.
We have discovered some of the most dangerous threats and nation state attacks in our space – including the Kaseya MSP breach and the more_eggs malware.
Our Security Operations Centers are supported with Threat Intelligence, Tactical Threat Response and Advanced Threat Analytics driven by our Threat Response Unit – the TRU team.
In TRU Positives, eSentire’s Threat Response Unit (TRU) provides a summary of a recent threat investigation. We outline how we responded to the confirmed threat and what recommendations we have going forward.
Here’s the latest from our TRU Team…
QuickBooks is a popular accounting software developed and marketed by Intuit. It is designed to help small and medium-sized businesses manage their finances, including tracking income and expenses, invoicing customers, managing bills, and generating financial reports.
Our Incident Handling team was notified about the scamming attempt against one of our clients in the financial sector. The client reported being unable to access one of their QuickBooks files, and upon opening the file, they received a warning message instructing them to call a phone number that appeared to be from Intuit Technical Support.
However, the number was part of a scam. Upon calling the number, the malicious actor would offer to sell the service to “repair” the files. The malicious actor claimed to be from QB Exclusive and used ZoHo Assist (remote support software) to achieve the remote session on the victim’s machine.
The eSentire Threat Response Unit (TRU) performed proactive threat hunting across all clients and identified two more infections targeting Business Services and Consulting sector customers.
"QB Exclusive" is purported to provide accounting and bookkeeping services, as well as QuickBooks support and products for sale on their website. However, there are concerns about the legitimacy of the company.
After conducting a more thorough investigation, we discovered that the same phone number listed on the original website appears on two additional websites. One of these websites, which operates under the name Business Growth Solutions, offers QuickBooks consulting services in addition to the sale of QuickBooks products. The second website, also operating under the name Business Growth Solutions, appears to specialize in the sale of office supplies.
The threat actor(s) also listed the random address in the contact form. eSentire TRU assesses the chances as probable that the malicious actor is using the websites for scamming purposes.
The QuickBooks scam has been identified as a known threat, with concerned users posting messages on Reddit and QuickBooks forums about warning messages and non-legitimate support services being offered for prices ranging from $800 to $2000.
The warning messages appear due to the presence of QuickBooks scamming malware on the machine, and users can get infected with it through a drive-by download, specifically via Google Ads.
The infection typically starts when a user searches for "QuickBooks download" on Google, and the first search result leads them to a malicious website hosting a fake QuickBooks installer.
Please note that the malicious installers will not have the valid QuickBooks signature as shown below.
Legitimate installers are signed by Intuit, Inc. as shown below.
The malicious QuickBooks MSI installer contains two or more files including the DLL dependencies necessary for the malicious binaries to operate as shown in the screenshot below. The files are dropped under C:\Users\Public\Libraries\.
Please note that the legitimate QuickBooks files are located under C:\Users\Public\Public Documents\Intuit\QuickBooks\ by default. Any files located under a different folder should be suspicious.
Below is the snippet of the code responsible for displaying the pop-up message asking the user to input the data in the fields and saving the data into sv.ini under C:\Users\Pulbic\Libraries.
QuickBooksDownloder namespace is responsible for retrieving the legitimate QuickBooks installer via the API requests to hxxp://185.161.211[.]237/.
Below is the response from the mentioned server (185.161.211[.]237) from get-software API request containing the links to legitimate QuickBooks installers.
Below is the data that the user enters in the Downloader pop-up message form mentioned previously, the data is being sent to 185.161.211[.]237 to retrieve the proper version that the user selected via API request add-user.
The code snippet below is responsible for displaying the HTML content of the “err.bin” file which is a malicious warning message in a web browser control on a Windows form. The code sets various properties of the web browser control to prevent user interaction, such as disabling scrolling, context menus, and keyboard shortcuts.
When the form is loaded, it navigates the web browser control to the local file path of the "err.bin" or “err.html” file.
The code below attempts to connect to one of the domains listed; it tries up to 3 times to connect to the domain and if it fails – it moves onto the next one. Further on, it builds the URL string that contains the C2 and current date and time (using GetSystemTimeAsFileTime function), for example, hxxp://103.251.94.106:8080?20230427001224" and retrieves the HTML file.
It’s also worth noting that the binary creates the mutex “quickbookslegitaf” to prevent two instances of the RuntimeBoker.exe running as shown below.
QuickBooks scamming malware achieves persistence via scheduled tasks. We have observed it creating two tasks:
Name |
Indicators |
MSI installer |
39a0b4c7287cecc915ab2449669923dd |
MSI installer |
fea3eb89a5c8355e743f8ef61c992822 |
MSI installer |
cd5e3d964683708850c10742ab09979c |
MSI installer |
81cf0b514dbf619d75b9d3dec37a34ee |
MSI installer |
72b5cc9c3fecfc6e1882dd1d82e05ed8 |
MSI installer |
585bd0e870156331fa9ea46d86caea08 |
MSI installer |
fedaef3bbafbd89d38f1061052da4f8b |
MSI installer |
42bcc7bafe6409b6ea3d0d4db92d9fee |
MSI installer |
ea84617ee389946ccc68b8c9d71264f8 |
MSI installer |
11e0cc8b8e7bd939de261f1fddb015c4 |
MSI installer |
b5f1e2cd4623df2305679531b0bf4ae4 |
MSI installer |
8347fc972a5e4c66c18b33dea5f287ea |
MSI installer |
58b9b9c93d0364149bb572fec6a8ab87 |
MSI installer |
2bc6b03b9ebe28dc9c9161cdeb5a14d7 |
MSI installer |
2cc92db9d1ce34b0e7b65fc62cdd2a2c |
MSI installer |
8a2c87eda08eb6b67120c93bc43b5c10 |
MSI installer |
fb4cdc9085ef6745b94aeaed67812d77 |
MSI installer |
1e8804dd646116713ddb0d7f0b20186d |
MSI installer |
f056dc3bd670775f487ac28faad4f340 |
MSI installer |
f4ecd5168601c1580be5f93742c0c26d |
MSI installer |
317994283f52440f8326fd4cc3a11871 |
MSI installer |
0924a0a4e0b07d74d2986e90b05bc42d |
MSI installer |
a95abc31536e9a985ff298b18ed7f742 |
MSI installer |
f5ee7a57a14ba567329a0a47a8959e47 |
MSI installer |
5dd9093bcc85d74a43f2ed642bc357fe |
MSI installer |
b30d96e387b7d45d8bc8d77a2a09fbc6 |
MSI installer |
ae65335b4a356ce2f206245b61728240 |
MSI installer |
1805bff7297d90c0a14582054da16863 |
MSI installer |
39fca60e07da85b135ce7e374ef24390 |
MSI installer |
262d20ede263cfb5fea0a175a99f9ec3 |
MSI installer |
e082a75d7fd0436846a394c98422ab6e |
MSI installer |
ce6ebe35e4d3d270eb23b5bd9eac1589 |
MSI installer |
bacf16429bd3853d7155a252bcef0547 |
MSI installer |
d303ed1364efd06fb38d80b6af6e2889 |
MSI installer |
0a42f76b5072206b1b4dd97ff8c0a3e4 |
MSI installer |
c80c3f22ab40f5f62ef57b471574ebd0 |
MSI installer |
7adf6b7befe21586f70932fb1a3e8a2a |
MSI installer |
2fc9665118c7513bdee1d1bf4d2dd65b |
MSI installer |
1acc9866d7d806f23c111540fcc27805 |
MSI installer |
fef3ba441f1237388efcadd688f61f29 |
MSI installer |
e79c7e94d080e1c5f9caed661052c544 |
MSI installer |
8c27c4acc9571b3c87f81e7ad2ecb256 |
MSI installer |
b7fdb2f2b0374cb2c351f05ef67f14d6 |
MSI installer |
4b99b3a3bf23cfc0fdc913a169a94b5b |
MSI installer |
297612c3fef1a60dced4f01723e8e98a |
MSI installer |
3d00e162b7cf6810a3dbce8e151152d8 |
MSI installer |
f7fdf989a848e47df935b51a15ad9596 |
MSI installer |
391659c13920e59880e7b177d933fb5d |
MSI installer |
782c1ad90b52b2c7d087dbd167e733c9 |
MSI installer |
e502728dca50ef425f2617c87f980285 |
MSI installer |
be3d9abb7b60ac3f3308ec770299907e |
MSI installer |
9cc3e36017845b6c8faa170be93ee1e9 |
MSI installer |
459ef1ac94d039f32e93d5745012077c |
MSI installer |
d65bdaf53f60840b863b16347e2d4326 |
MSI installer |
dedabed878319a86e480e3101bf5bca7 |
MSI installer |
ec29585e1e8c93184fca89ef2c6a7d85 |
MSI installer |
5c40ca97c56ec705af50c7aebb81e0e8 |
MSI installer |
1aead7ce688da6938ec63018bdfa92d0 |
MSI installer |
d6bdf36f6df201f5aa5d9487812f1633 |
QBD.exe |
aa60ebdba77eda29feeafb91ff4b5e99 |
QBD.exe |
2d55260a13d08f0caa20e01ea724d640 |
RuntimeBokers.exe |
1d33cfbf149de1a78954b1b958bf4c9b |
90s.rtf |
fd83a1fe03b880e90c591449a9c4a279 |
err.bin |
3a1c204828efc12e078b610bb46e6cdd |
Newtonsoft.Json.dll |
4475baeda60cf60bb1543f2643b61715 |
Win32_API.dll |
9be0f25ffef8502eeffee20ffb79ea44 |
rule QuickBooks_QBD { meta: author = "eSentire TI" description = "QuickBooks scamming malware" date = "4/27/2023" strings: $s1 = "\\err.html" wide $s2 = "C:\\Users\\Simran\\Desktop\\TEST TESt TES\\QuickBooksDownloder\\obj\\Release\\QBD.pdb" $s3 = "D:\\Side\\QuickBook_23\\Downloader\\QuickBooksDownloder\\obj\\Release\\QBDownloder.pdb" $s4 = "http://185.161.211.237/" wide $s5 = "90s.rtf" wide $s6 = "err.bin" wide condition: 4 of ($s*) and filesize < 700KB }
rule QuickBooks_RuntimeBokers { meta: author = "eSentire TI" description = "QuickBooks scamming malware" date = "4/27/2023" strings: $s1 = "C:\\Users\\Public\\Libraries\\sv.ini" $s2 = "C:\\Users\\Public\\Libraries\\err.bin" $s3 = "quickbooks12.hopto.org" $s4 = "quickbooks149.hopto.org" $s5 = "C:\\Users\\Public\\Libraries\\QBD.exe" wide condition: all of ($s*) and filesize < 400KB and (uint16(0) == 0x5A4D or uint32(0) == 0x4464c457f) }
Our industry-renowned Threat Response Unit (TRU) is an elite team of threat hunters and researchers, that supports our 24/7 Security Operations Centers (SOCs), builds detection models across our Atlas XDR Cloud Platform, and works as an extension of your security team to continuously improve our Managed Detection and Response service. TRU has been recognized for its threat hunting, original research and content development capabilities. TRU is strategically organized into cross-functional groups to protect you against advanced and emerging threats, allowing your organization to gain leading threat intelligence and incredible cybersecurity acumen.