Cyber risk and advisory programs that identify security gaps and build strategies to address them.
MDR that provides improved detection, 24/7 threat hunting, end-to-end coverage and most of all, complete Response.
Our team delivers the fastest response time in the industry. Threat suppression within just 4 hours of being engaged.
Visibility and response across your entire Microsoft security ecosystem.
XDR with Machine Learning that eliminates noise, enables real-time detection and response, and automatically blocks threats.
Be protected by the best from Day 1.
24/7 Threat Investigation and Response.
Expert threat hunting, original research, and proactive threat intelligence.
TRU is foundational to our MDR service. No add-ons or additional costs required.
Flexible MDR packages that enhance your cyber resilience and security operations.
Stop ransomware attacks before they disrupt your business.
Detect and respond to zero-day exploits.
Protect against third-party and supply chain risk.
Adopt a risk-based approach to cybersecurity.
Protect your most sensitive data.
Meet cybersecurity regulatory compliance mandates.
Eliminate misconfigurations and policy violations.
Prevent business disruption by outsourcing MDR.
Meet insurability requirements with MDR.
Defend brute force attacks, active intrusions and unauthorized scans.
Safeguard endpoints 24/7 by isolating and mediating threats to prevent lateral spread.
Enhance investigation and threat detection across multi-cloud or hybrid environments.
Remediate critical misconfigurations, security vulnerabilities and policy violations across cloud and containerized environments.
Detect malicious insider and identity-based behavior leveraging machine learning models.
THE THREAT eSentire is aware of widespread exploitation attempts targeting the recently disclosed ownCloud vulnerability CVE-2023-49103. CVE-2023-49103 (CVSS: 10) is tracked as a disclosure of… READ NOW
Our Threat Response Unit (TRU) publishes security advisories, blogs, reports, industry publications and webinars based on its original research and the insights driven through proactive threat hunts.
eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 2000+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company's mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
Waterloo, ON and GITEX GLOBAL 2023, Dubai, UAE – October 18, 2023 – eSentire, Inc., the Authority in Managed Detection and Response (MDR), today announced that Inspira Enterprise Inc, (Inspira), a… READ NOW
We provide sophisticated cybersecurity solutions for Managed Security Service Providers (MSSPs), Managed Service Providers (MSPs), and Value-Added Resellers (VARs). Find out why you should partner with eSentire, the Authority in Managed Detection and Response, today.
We believe a multi-signal approach is paramount to protecting your complete attack surface. See why eSentire MDR means multi-signal telemetry and complete response.
See how our 24/7 SOC Cyber Analysts and Elite Threat Hunters stop even the most advanced cyberattacks before they disrupt your business.
Choose the right mix of Managed Detection and Response, Exposure Management, and Incident Response services to strengthen your cyber resilience.
Try our interactive tools including the MITRE ATT&CK Tool, the SOC Pricing Calculator, the Cybersecurity Maturity Assessment, and our MDR ROI Calculator.
Read the latest security advisories, blogs, reports, industry publications and webinars published by eSentire's Threat Response Unit (TRU).
See why 2000+ organizations count on eSentire to build resilience and prevent business disruption.
Business professionals search google for free office forms (invoices, questionnaires, and receipts) but get served a RAT
eSentire, a leading cybersecurity solutions provider, reported today that business professionals are currently being lured to hacker-controlled websites, hosted on Google Sites, and inadvertently installing a known, emerging Remote Access Trojan (RAT). eSentire has detected several incidents in the past week. The attack starts with the potential victim performing a search for business forms such as invoices, questionnaires, and receipts. Unlike the LinkedIn spearphishing campaign eSentire reported last week that utilized email and LinkedIn channels, this campaign lays long-standing traps for victims using Google search redirection and the drive-by- download method. Once the RAT is on the victim’s computer and activated, the threat actors can send commands and upload additional malware to the infected system, such as ransomware, a credential stealer, a banking trojan, or simply use the RAT as a foothold into the victim’s network.
Upon attempting to download the alleged document template, users are redirected, unknowingly, to a malicious website where the RAT malware is hosted. eSentire’s Threat Response Unit (TRU) discovered over 100,000 unique web pages that contain popular business terms/particular keywords: template, invoice, receipt, questionnaire, and resume. In a precursory search, 70,000 unique web pages included the mention of either template or invoice. These common business terms serve as keywords for the threat actors’ search optimization strategy, convincing Google’s web crawler that the intended content meets conditions for a high PageRank score.
Once the target lands on a site controlled by the hacker, the page shows download buttons for the document template they were searching. When clicked, the business professional is redirected (unknowingly) to a malicious website which serves up an executable disguised as a pdf document or a word document. In the incident which eSentire investigated, when the executable (disguised as a pdf) was launched by the user, they simultaneously installed the SolarMarker RAT (also referred to as Yellow Cockatoo, Jupyter, and Polazert) and a complimentary copy of the Slim PDF reader application. Slim PDF is a legitimate application for reading pdfs. The pdf reader application is installed by the threat actors, either in an effort to convince the victim of the legitimacy of the document they were seeking or as a distraction from the installation of the RAT. As with any RAT, once SolarMarker is active, the threat actors can send commands and upload additional files to the infected system. The TRU has not yet observed actions-on-objectives following a SolarMarker infection, but suspect any number of possibilities, including ransomware, credential theft, fraud, or as a foothold into the victim networks for espionage or exfiltration operations.
“Security leaders and their teams need to know that the threat group behind SolarMarker has gone to a lot of effort to compromise business professionals, spreading a wide net and using many tactics to successfully disguise their traps,” said Spence Hutchinson, Manager of Threat Intelligence for eSentire. “For instance, the Solar Marker group has:
“Another troubling aspect of this campaign is that the SolarMarker group has populated many of their malicious web pages with keywords relating to financial documents, e.g., statements, receipts, invoices, etc.,” continued Hutchinson.. “A financial cybercrime group would consider an employee, working in the finance department of a company, or an employee, working for a financial organization, a high value target. In fact, the SolarMarker incident which eSentire disrupted involved an employee of a financial management company. Once a remote access trojan (RAT) has been installed on a victim’s computer, the threat actors can upload additional malware to the device, such as a banking trojan, which could be used to hijack the online banking credentials of the organization. Or a credential stealer could be installed, which could be used to steal the employee’s email credentials, enabling the hackers to launch a business email compromise scheme. Unfortunately, once a RAT is comfortably installed, the potential fraud activities are numerous.”
The emerging RAT is written with the .NET software framework, and tracked as Jupyter, Yellow Cockatoo, SolarMarker, and now being tracked as Polazert on twitter . SolarMarker was first observed by eSentire in early October 2020. The eSentire Threat Response Unit (TRU) tracks this threat as SolarMarker due to the observed tracking file dropped for host identification. Throughout October and November 2020, SolarMarker utilized docx2rtf.exe as a decoy to distract users as the .NET silently installed itself in the background. Red Canary reports SolarMarker changing this decoy application throughout the following months  using in September 2020 photodesigner7_x86-64.exe and Expert_PDF.exe in November 2020, while the TRU continued to see docx2rtf.exe. The TRU has now discovered that the SolarMarker group is using Slim PDF Reader. See Figure 1 and Figure 2.
Figure 1. The attack chain starts with a google search and ends in the installation of SolarMarker and lesser-known PDF viewer.
Figure 2: Process tree outlining the installation of SolarMarker. Note the Adobe icon on the installer file. The RAT, labeled (unknown), then goes on to install the decoy document and make malicious PowerShell calls.
SolarMarker captures victims via Google Search redirect. Often, clients are looking for a free version or template of a document. In the latest incident observed by TRU, the victim, who works in the financial industry, was redirected to a Google Sites page controlled by the threat actor with an embedded download button. The download button, hosted at passiondiamond[.]site, is easy to customize. The TRU team was able to generate a document named “this is a test” for download (Figure 3). Note the search redirect content (see Figure 4) populated on the malicious web page just below the download buttons in Figure 3.
Figure 3: The Download button that is embedded in the Google Site
Figure 4: The search redirect content populated on the malicious web page just below the download buttons in figure 3.
Figure 5: Examining the source of the embedded button page reveals a link to a .tk domain and icon sources
The decoy program, Slim PDF, serves as an important visual cue for potential victims of SolarMarker but also helps to lower suspicion of malicious intent. The attached screenshot (Figure 6) is from the Slim PDF website
Figure 6: Screenshot from the Slim PDF reader website
eSentire's TRU first saw SolarMarker utilizing Shopify for its search redirection method in October 2020. In that case, the redirection infrastructure was embedded in a hosted PDF that provided links to the threat actor’s maliciously controlled infrastructure where the RAT (and its decoy payloads) is hosted. In 2021, the redirection method shifted to Google Sites.
The redirection method for Shopify was highlighted by Security Magic  who also mentioned the usage of Google Sites. To capture search results, the threat actors loaded the redirection content with keywords. In the case of Shopify, the keywords were hidden as white text at the bottom of the PDF (Figure 7). In recent attacks, however, Google Sites is being leveraged with an embedded download button (Figure 3) that leads to attacker-controlled infrastructure. As with the Shopify PDF, a block of text with keywords is included. In the case of Google Sites, the keyword content is placed directly in the site, below the landing button and some white space (Figure 4).
Figure 7: Highlighting the second page of the Shopify-hosted PDF reveals the hidden text used to rank high in Google results
The redirection infrastructure passes through a series of .tk TLDs before landing on the final .ml TLD domain. See Figure 8. Upon visiting the infrastructure with a VM, no such redirects are experienced. Upon inspecting the source code of the embedded download button at passiondiamond.site, researchers found an entirely different .tk domain, indicating a possibility that these redirect pathways are dynamic and can be changed for either operational security or delivery efficacy. It’s possible that any number of checks are being performed on the visiting browser and operating system to ensure they are being operated by victims, not security researchers.
Figure 8: SolarMarker’s redirect path from the search result to the final payload site
 Mar 09, 2021 - https://twitter.com/JAMESWT_MHT
Being tracked as #Polazert
 Feb 08, 2021 - https://www.crowdstrike.com/blog/solarmarker-backdoor-technical-analysis/
Google Sites mentioned
Infection Chain Shown
Detailed Reversing / Snippets
 Dec 12, 2020 - http://security5magics.blogspot.com/2020/12/tracking-jupyter-malware.html
Shows Shopify Method
Google Sites mentioned
 Dec 04, 2020 - https://redcanary.com/blog/yellow-cockatoo/
Overview of Decoys used
 Nov 12, 2020 - https://blog.morphisec.com/jupyter-infostealer-backdoor-introduction
First Public Report on SolarMarker
For more information about this threat and how to protect against it go to https://www.esentire.com/get-started