Threat landscape continues to evolve, putting organizations at risk

La Jolla, CA. — GoSecure, a leading provider of Managed Detection and Response (MDR) services, today announced the details of two recent findings from GoSecure Titan Research. The findings are examples of the speed and technical acumen exhibited by today’s modern cybercriminals. They also illustrate the ease by which attacks can breach cybersecurity infrastructure’s that rely on traditional tools.

First appearing in early 2020, the Exorcist ransomware came and went fairly quickly. In September 2020, the GoSecure Titan MDR analyst team observed suspicious behavior when an EXE started copying data from the browser’s directory to random text files. The suspicion leads to full-on alert when the same EXE begins communicating with a known malicious IP which instructs the EXE to perform additional suspicious behaviors:

  • Create file oewvcabkhaw.exe
  • Create a new process using this file
  • Create more suspiciously named files such as poawhepvtl.exe

The coup de grâce comes when a malicious shortcut link, SmartClock.lnk, is added to the user’s startup folder. This shortcut links to a file that is activated using a Registry RunOnce entry, which is, subsequently, deleted.

After GoSecure Titan MDR blocked all suspicious activity, the researchers performed a post-mortem and realized they had found new ransomware, subsequently named Exorcist 2.0 by the media. It was GoSecure’s combination of behavior-based technology and human review that allowed Titan MDR to detect and mitigate this malicious activity. There was no way for traditional solutions to define the action as malicious as none of these tactics had been observed in just this way prior. And it took GoSecure Titan Threat Hunters to identify suspicious activity, correlate all behaviors, and accurately classify the full sequence of events as malicious.

During the 2020 Holiday season, GoSecure Titan Inbox Detection and Response (IDR) spotted email activity that looked suspiciously like BazarLoader. These malspam contained fake employment termination notices and anonymous surveys, creating urgency for recipients to open the attachment. After bypassing the obfuscation techniques, GoSecure Titan researchers noted a Portable Executable (PE) loaded into memory but acting unusually. In particular, the PE acted as ShellCode rather than a PE, eliminating the calls to thread related APIs, making it more challenging for simple behavior-based solutions to detect the activity.

Other interesting activity includes:

  • Check if the keyboard locale is Armenian
  • Check, and prevent, more than one instance of BazarLoader running
  • Non-standard HTML header Update
  • Include the string Stupid Defender to mock researchers

“Organizations face many challenges in today’s threat landscape. Not only are adversaries quickly iterating malware tactics to stay ahead of technique-based cybersecurity solutions, but many organizations also lack sufficient staff and experience to handle the increased sophistication of these attacks,” said Neal Creighton, GoSecure CEO. “With average dwell time of almost 80 days, it is imperative for organizations to stop attacks as quickly as possible to minimize the impact.”

GoSecure Titan MDR dramatically reduces a company’s risk by providing 24/7 visibility into customer environments to identify, track and stop advanced threats. Titan MDR combines the Titan platform with GoSecure’s experienced threat hunting team to identify suspicious activity, correlate behaviors, and accurately classify advanced threats so they are mitigated quickly. In many cases, neither technology nor people, by themselves, can identify and correctly classify – it takes synergy between the two to stop unknown advanced threats like ransomware. GoSecure Titan MDR mitigated over 200 ransomware attacks for customers in 2020 alone.

Key benefits of GoSecure Titan MDR:

  • Visibility: 150 unique event types across endpoint, network, email and user behavior compared to industry average of less than 50
  • Analysis: ML /AI, combined with human review, to correlate behaviors and events with attack strategies
  • Response: Mitigating attacks on average in less than 15 minutes, compared to average dwell time of almost 80 days
  • Expertise: Over 6 years of experience operationalizing the MDR connection between people, processes, and technology

Additional details of these GoSecure Titan Research findings can be found on GoSecure’s Security Blog.

To learn more about these attacks, as well as GoSecure Titan MDR, join our upcoming webinar on March 17th: Are Cybercriminals Taking the Lead? Exorcist 2.0 and BazarLoader Deconstructed. Register here.



About GoSecure
GoSecure is a recognized cybersecurity leader, delivering innovative managed security solutions and expert advisory services. GoSecure Titan® managed security solutions deliver multi-vector protection to counter modern cyber threats through a complete suite of offerings that extend the capabilities of our customers’ in-house teams. GoSecure Titan Managed Detection & Response (MDR) offers a best in class mean-time-to-respond, with comprehensive coverage across customers’ networks, endpoints and inboxes. For over 10 years, GoSecure has been helping customers better understand their security gaps, improve organizational risk and enhance security posture through advisory services provided by one of the most trusted and skilled teams in the industry.

    Media Contact

      info@gosecure.net

GoSecure Titan® Managed Extended Detection & Response (MXDR)​

GoSecure Titan® Managed Extended Detection & Response (MXDR)​ Foundation

GoSecure Titan® Vulnerability Management as a Service (VMaaS)

GoSecure Titan® Managed Security Information & Event Monitoring (Managed SIEM)

GoSecure Titan® Managed Perimeter Defense​ (MPD)

GoSecure Titan® Inbox Detection and Response (IDR)

GoSecure Titan® Secure Email Gateway (SEG)

GoSecure Titan® Threat Modeler

GoSecure Titan® Identity

GoSecure Titan® Platform

GoSecure Professional Security Services

Incident Response Services

Security Maturity Assessment

Privacy Services

PCI DSS Services

Penetration Testing Services​

Security Operations

MicrosoftLogo

GoSecure MXDR for Microsoft

Comprehensive visibility and response within your Microsoft security environment

USE CASES

Cyber Risks

Risk-Based Security Measures

Sensitive Data Security

Safeguard sensitive information

Private Equity Firms

Make informed decisions

Cybersecurity Compliance

Fulfill regulatory obligations

Cyber Insurance

A valuable risk management strategy

Ransomware

Combat ransomware with innovative security

Zero-Day Attacks

Halt zero-day exploits with advanced protection

Consolidate, Evolve & Thrive

Get ahead and win the race with the GoSecure Titan® Platform

24/7 MXDR FOUNDATION

GoSecure Titan® Endpoint Detection and Response (EDR)

GoSecure Titan® Next Generation Antivirus (NGAV)

GoSecure Titan® Security Information & Event Monitoring (SIEM)

GoSecure Titan® Inbox Detection and Reponse (IDR)

GoSecure Titan® Intelligence

OUR SOC

Proactive Defense, 24/7

ABOUT GOSECURE

GoSecure is a recognized cybersecurity leader and innovator, pioneering the integration of endpoint, network, and email threat detection into a single Managed Extended Detection and Response (MXDR) service. For over 20 years, GoSecure has been helping customers better understand their security gaps and improve their organizational risk and security maturity through MXDR and Professional Services solutions delivered by one of the most trusted and skilled teams in the industry.

EVENT CALENDAR

LATEST PRESS RELEASE

GOSECURE BLOG

SECURITY ADVISORIES

 24/7 Emergency – (888)-287-5858