GoSecure Titan Research Announces Recent Findings

Threat landscape continues to evolve, putting organizations at risk

La Jolla, CA. — GoSecure, a leading provider of Managed Detection and Response (MDR) services, today announced the details of two recent findings from GoSecure Titan Research. The findings are examples of the speed and technical acumen exhibited by today’s modern cybercriminals. They also illustrate the ease by which attacks can breach cybersecurity infrastructure’s that rely on traditional tools.

First appearing in early 2020, the Exorcist ransomware came and went fairly quickly. In September 2020, the GoSecure Titan MDR analyst team observed suspicious behavior when an EXE started copying data from the browser’s directory to random text files. The suspicion leads to full-on alert when the same EXE begins communicating with a known malicious IP which instructs the EXE to perform additional suspicious behaviors:

• Create file oewvcabkhaw.exe
• Create a new process using this file
• Create more suspiciously named files such as poawhepvtl.exe

The coup de grâce comes when a malicious shortcut link, SmartClock.lnk, is added to the user’s startup folder. This shortcut links to a file that is activated using a Registry RunOnce entry, which is, subsequently, deleted.

After GoSecure Titan MDR blocked all suspicious activity, the researchers performed a post-mortem and realized they had found new ransomware, subsequently named Exorcist 2.0 by the media. It was GoSecure’s combination of behavior-based technology and human review that allowed Titan MDR to detect and mitigate this malicious activity. There was no way for traditional solutions to define the action as malicious as none of these tactics had been observed in just this way prior. And it took GoSecure Titan Threat Hunters to identify suspicious activity, correlate all behaviors, and accurately classify the full sequence of events as malicious.

During the 2020 Holiday season, GoSecure Titan Inbox Detection and Response (IDR) spotted email activity that looked suspiciously like BazarLoader. These malspam contained fake employment termination notices and anonymous surveys, creating urgency for recipients to open the attachment. After bypassing the obfuscation techniques, GoSecure Titan researchers noted a Portable Executable (PE) loaded into memory but acting unusually. In particular, the PE acted as ShellCode rather than a PE, eliminating the calls to thread related APIs, making it more challenging for simple behavior-based solutions to detect the activity.

Other interesting activity includes:

• Check if the keyboard locale is Armenian
• Check, and prevent, more than one instance of BazarLoader running
• Non-standard HTML header Update
• Include the string Stupid Defender to mock researchers

“Organizations face many challenges in today’s threat landscape. Not only are adversaries quickly iterating malware tactics to stay ahead of technique-based cybersecurity solutions, but many organizations also lack sufficient staff and experience to handle the increased sophistication of these attacks,” said Neal Creighton, GoSecure CEO. “With average dwell time of almost 80 days, it is imperative for organizations to stop attacks as quickly as possible to minimize the impact.”

GoSecure Titan MDR dramatically reduces a company’s risk by providing 24/7 visibility into customer environments to identify, track and stop advanced threats. Titan MDR combines the Titan platform with GoSecure’s experienced threat hunting team to identify suspicious activity, correlate behaviors, and accurately classify advanced threats so they are mitigated quickly. In many cases, neither technology nor people, by themselves, can identify and correctly classify – it takes synergy between the two to stop unknown advanced threats like ransomware. GoSecure Titan MDR mitigated over 200 ransomware attacks for customers in 2020 alone.

Key benefits of GoSecure Titan MDR:

• Visibility: 150 unique event types across endpoint, network, email and user behavior compared to industry average of less than 50
• Analysis: ML /AI, combined with human review, to correlate behaviors and events with attack strategies
• Response: Mitigating attacks on average in less than 15 minutes, compared to average dwell time of almost 80 days
• Expertise: Over 6 years of experience operationalizing the MDR connection between people, processes, and technology

Additional details of these GoSecure Titan Research findings can be found on GoSecure’s Security Blog.

To learn more about these attacks, as well as GoSecure Titan MDR, join our upcoming webinar on March 17th: Are Cybercriminals Taking the Lead? Exorcist 2.0 and BazarLoader Deconstructed. Register here.

About GoSecure
GoSecure is a recognized cybersecurity leader, delivering innovative managed security solutions and expert advisory services. GoSecure Titan® managed security solutions deliver multi-vector protection to counter modern cyber threats through a complete suite of offerings that extend the capabilities of our customers’ in-house teams. GoSecure Titan Managed Detection & Response (MDR) offers a best in class mean-time-to-respond, with comprehensive coverage across customers’ networks, endpoints and inboxes. For over 10 years, GoSecure has been helping customers better understand their security gaps, improve organizational risk and enhance security posture through advisory services provided by one of the most trusted and skilled teams in the industry.