GoSecure, a leading provider of Managed Detection and Response (MDR) services, today announced the details of two recent findings from GoSecure Titan Research. The findings are examples of the speed and technical acumen exhibited by today’s modern cybercriminals. They also illustrate the ease by which attacks can breach cybersecurity infrastructures that rely on traditional tools.
First appearing in early 2020, the Exorcist ransomware came and went fairly quickly. In September 2020, the GoSecure Titan MDR analyst team observed suspicious behavior when an EXE started copying data from the browser’s directory to random text files. The suspicion leads to full-on alert when the same EXE begins communicating with a known malicious IP which instructs the EXE to perform additional suspicious behaviors:
- Create file oewvcabkhaw.exe
- Create a new process using this file
- Create more suspiciously named files such as poawhepvtl.exe
The coup de grâce comes when a malicious shortcut link, SmartClock.lnk, is added to the user’s startup folder. This shortcut links to a file that is activated using a Registry RunOnce entry, which is, subsequently, deleted.
After GoSecure Titan MDR blocked all suspicious activity, the researchers performed a post-mortem and realized they had found new ransomware, subsequently named Exorcist 2.0 by the media. It was GoSecure’s combination of behavior-based technology and human review that allowed Titan MDR to detect and mitigate this malicious activity. There was no way for traditional solutions to define the action as malicious as none of these tactics had been observed in just this way prior. And it took GoSecure Titan Threat Hunters to identify suspicious activity, correlate all behaviors, and accurately classify the full sequence of events as malicious.
During the 2020 Holiday season, GoSecure Titan Inbox Detection and Response (IDR) spotted email activity that looked suspiciously like BazarLoader. These malspam contained fake employment termination notices and anonymous surveys, creating urgency for recipients to open the attachment. After bypassing the obfuscation techniques, GoSecure Titan researchers noted a Portable Executable (PE) loaded into memory but acting unusually. In particular, the PE acted as ShellCode rather than a PE, eliminating the calls to thread related APIs, making it more challenging for simple behavior-based solutions to detect the activity.
Other interesting activity includes:
- Check if the keyboard locale is Armenian
- Check, and prevent, more than one instance of BazarLoader running
- Non-standard HTML header Update
- Include the string Stupid Defender to mock researchers
“Organizations face many challenges in today’s threat landscape. Not only are adversaries quickly iterating malware tactics to stay ahead of technique-based cybersecurity solutions, but many organizations also lack sufficient staff and experience to handle the increased sophistication of these attacks,” said Neal Creighton, GoSecure CEO. “With average dwell time of almost 80 days, it is imperative for organizations to stop attacks as quickly as possible to minimize the impact.”
GoSecure Titan MDR dramatically reduces a company’s risk by providing 24/7 visibility into customer environments to identify, track and stop advanced threats. Titan MDR combines the Titan platform with GoSecure’s experienced threat hunting team to identify suspicious activity, correlate behaviors, and accurately classify advanced threats so they are mitigated quickly. In many cases, neither technology nor people, by themselves, can identify and correctly classify – it takes synergy between the two to stop unknown advanced threats like ransomware. GoSecure Titan MDR mitigated over 200 ransomware attacks for customers in 2020 alone.
Key benefits of GoSecure Titan MDR:
- Visibility: 150 unique event types across endpoint, network, email and user behavior compared to industry average of less than 50
- Analysis: ML /AI, combined with human review, to correlate behaviors and events with attack strategies
- Response: Mitigating attacks on average in less than 15 minutes, compared to average dwell time of almost 80 days
- Expertise: Over 6 years of experience operationalizing the MDR connection between people, processes, and technology
Additional details of these GoSecure Titan Research findings can be found on GoSecure’s Security Blog.
To learn more about these attacks, as well as GoSecure Titan MDR, join our upcoming webinar on March 17th: Are Cybercriminals Taking the Lead? Exorcist 2.0 and BazarLoader Deconstructed. Register here.
GoSecure is recognized as a leader and innovator in cybersecurity solutions. The company is the first and only to integrate endpoint, network, and email threat detection into a single Managed Detection and Response service. The GoSecure Titan platform delivers predictive multi-vector detection, prevention, and response by applying a unique combination of behavioral analysis, memory forensics, machine learning, and reputational techniques to counter the most advanced threats. GoSecure Titan MDR is designed to detect and respond in less than 15 minutes, rapid response and active mitigation services that directly touch the customers’ network and endpoints. Together, these capabilities provide the most effective response to the increased sophistication of continuously evolving malware and malicious insiders that target people, processes, and systems. With a focus on innovation, quality, integrity, and respect, GoSecure has become the trusted provider of cybersecurity products and services to organizations of all sizes, across all industries globally.