12 Months of Fighting Cybercrime | SentinelLabs 2020 Review

SentinelLabs came into being at the back end of 2019 as a means of providing value to the cyber security community by focusing on research and threat intelligence unavailable elsewhere. In an action-packed 13 months or so since then, we have published 65 posts on malware, ransomware, phishing campaigns, threat actors, software vulnerabilities and cybercrime fighting tools, and we have plenty more research and intelligence coming in 2021, too!

Looking back over the last 12 months, we have seen the cybercrime story unsurprisingly dominated by social engineering and malware campaigns themed around the COVID-19 pandemic. But there was also a lot of other things going on this year, from an explosion in RaaS (ransomware as a service) offerings and victim data exploitation with operators like Maze and Egregor, to a unique macOS ransomware/spyware campaign and, notably, the SUNBURST SolarWinds Orion supply chain attack.

Of course, you can catch up on all our research and threat intelligence posts over at SentinelLabs, but for a quick recap on some of the main highlights, take a scroll through our 2020 timeline below.


Following on from SentinelLabs’ groundbreaking discovery of the TrickBot Anchor malware at the end of 2019, our first research post of 2020 broke news of a new TrickBot backdoor called “PowerTrick”. Built for stealth, persistence and reconnaissance, PowerTrick is deployed inside infected high-value targets such as financial institutions.

Top-Tier Russian Organized Cybercrime Group Unveils Fileless Stealthy “PowerTrick” Backdoor for High-Value Targets


North Korean cybercrime actors, specifically the Lazarus group (aka ‘Hidden Cobra’), have a long and storied history of destructive cyber attacks. 2020 was no different for the APT group, with campaigns targeting macOS as well as the Windows platforms. SentinelLabs rounded up a collection of this adversary’s toolsets, including Bistromath, Hoplight, Slickshoes and more.

DPRK Hidden Cobra Update: North Korean Malicious Cyber Activity


TA5050 is crimeware group that has been around since at least 2014 and associated with a variety of advanced malware families, including Dridex, FlawedAmmyy, SDBot, TrickBot and Get2, a downloader used to deliver any of the above (and others). SentinelLabs developed a unique unpacker for the crypter used to obfuscate Get2 DLLs utilizing SMT.

Breaking TA505’s Crypter with an SMT Solver


More generally known as a banking malware trojan, the IcedID botnet was also deployed during 2020 to take advantage of the COVID-19 pandemic and to engage in a spot of tax fraud. SentinelLabs was the first to uncover how the infamous IcedID botnet uses social engineering and custom PowerShell uploaders to steal documents related to the victim’s identity and tax returns.

IcedID Botnet | The Iceman Goes Phishing for US Tax Returns


Understanding how APT actors operate is key to protecting your organization. SentinelOne’s Vigilance MDR team revealed how their Incident Response procedure uncovered an APT actor’s entry point, lateral movement, and persistence mechanisms.

The Anatomy of an APT Attack and Cobalt Strike Beacon’s Encoded Configuration


This year, NetWalker ransomware, like many others, evolved into a RaaS (ransomware as a service) offering and also incorporated data leakage extortion into its repertoire. SentinelLabs revealed affiliate preconditions, technical details, and victim exploitation associated with the NetWalker RaaS.

NetWalker Ransomware: No Respite, No English Required


A rare case of ransomware came to the macOS platform in 2020, variously called ‘EvilQuest’, ‘ThiefQuest’ and ‘MacRansom.K’. SentinelLabs researchers were the first to reverse the encryption routine used in the malware and to release a public decryptor for any unfortunate victims.

Breaking EvilQuest | Reversing A Custom macOS Ransomware File Encryption Routine


Right up until August, Maze was one of the most widespread and successful ransomware threats out there. Maze’s success can in part be attributed to the fact that attacks are customized by human operators to exploit the particular environment of victims. SentinelLabs caught one in action and detailed the attacker’s moves.

Case Study: Catching a Human-Operated Maze Ransomware Attack In Action


From the earliest months of the pandemic, threat actors exploited the COVID-19 coronavirus in multiple ways. This rolling blog post began in February and details the phishing campaigns and other social engineering lures seen by SentinelLabs throughout the year.

Threat Intel | Cyber Attacks Leveraging the COVID-19/CoronaVirus Pandemic


In October, CISA released an urgent advisory warning that cybercriminals were targeting the Healthcare and Public Health (HPH) sector with Ryuk and Conti ransomware. The threat actors relied heavily on Anchor, a Trickbot derivative, as a loader to infect victims, and leveraged both DNS tunneling and ICMP for C2 communications. SentinelLabs was the first to uncover and reverse the ICMP component of the Anchor module.

Anchor Project for Trickbot Adds ICMP


Widely-believed to be the successor to the Maze ransomware, Egregor appeared around mid-September and has already been associated with cyberattacks against GEFCO and Barnes & Noble, Ubisoft, and numerous others. SentinelLabs detailed its payload, leveraging of Cobalt Strike and Rclone, and its post-compromise behavior.

Egregor RaaS Continues the Chaos with Cobalt Strike and Rclone


The final month of 2020 revealed that a nation-state actor had been running a campaign since at least April via what may turn out to be one of the most damaging supply chain attacks of all time, the compromise of SolarWinds Orion, first detected in the environment of cyber security outfit FireEye. While we were able to validate that no SentinelOne customers were victims of this wide-ranging breach, many others were not so lucky and the fall out from SUNBURST is likely to continue into 2021. SentinelLabs took a look inside the SUNBURST backdoor and the dropped SUPERNOVA webshell trojan.

SolarWinds | Understanding & Detecting the SUPERNOVA Webshell Trojan


2020 turned out to be a busy twelve months for all those involved in fighting cybercrime, and for SentinelLabs’ researchers, there was no shortage of threats and threat intelligence to keep on top of. And of course, we’ll be right there with you throughout this coming year and beyond.

To all, we wish a happy and secure New Year and 2021. Ensure that you keep your organization, endpoints, network and cloud infrastructure safe with SentinelOne’s award-winning Singularity platform, and keep your security team up-to-date with SentinelLabs’ original and timely research.

The Good, the Bad and the Ugly in Cybersecurity – Week 51

The Good

2020 has seen many international operations against cybercriminals and cybercrime infrastracture. This week, we were pleased to learn that law enforcement agencies continue the good fight with another impressive operation. Operation Nova, a coordinated law enforcement operation led by the German Police, Europol, the FBI and other law enforcement agencies from around the world, resulted in the takedown of Safe-Inet, a virtual private network (VPN) used by a number of prominent cybercrime groups.

The Safe-Inet service was shut down and its infrastructure seized in Germany, the Netherlands, Switzerland, France and the United States.

The VPN service was active for over a decade and was used by ransomware operators and other cybercriminals to cover their tracks. The service was sold at a high price and billed as “one of the best tools available to avoid law enforcement detection”, offering up to five layers of anonymous VPN connections.

The Head of Europol’s European Cybercrime Centre, Edvardas Šileris said:

“The strong working relationship fostered by Europol between the investigators involved in this case on either side of the world was central in bringing down this service. Criminals can run but they cannot hide from law enforcement, and we will continue working tirelessly together with our partners to outsmart them.”

The Bad

Cryptocurrencies are all the rage at the moment. The main currency, Bitcoin, has reached new heights, carrying with it the entire crypto market. But before these currencies can really become mainstream, there are several security challenges regarding the trade and safekeeping of cryptocurrency that remain to be solved. Case in point: cryptocurrency wallet company Ledger was breached earlier this year, and this week the details of 272,000 customers, including names, mailing addresses, and phone numbers were dumped online to Raidforums, a site for sharing hacked databases.

France-based Ledger reported back in July that it had discovered a breach of its e-commerce and marketing databases resulting in the theft of customer email addresses. The publishing of the database now increases the likelihood of Ledger customers becoming victims of phishing attacks by cybercriminals who will try to obtain their private keys. There have even been some reports of personal threats with violence.

There are crypto troubles on the other side of the English channel, too. British cryptocurrency exchange outfit EXMO disclosed Monday that its hot wallets had been compromised. It is unknown how the hackers were able to breach EXMO, but it is estimated that the company has lost over $10 million from the hot wallet breach, or about 6% of its total crypto assets.

In a statement, EXMO has notified its clients about the breach and warned them not to deposit any funds to existing wallets. Meanwhile, all withdrawal activity has been suspended.

The Ugly

The European Court of Human Rights has been hit by a cyberattack and taken offline since Tuesday. The attack came after the court published a ruling to release the incarcerated former leader of the pro-Kurdish Peoples’ Democratic Party (HDP), Selahattin Demirtaş. The Court found that the detention of 47-year-old Demirtaş, which has lasted more than four years, goes against “the very core of the concept of a democratic society.”

Anka Neferler Tim, a Turkish hacktivist group, took responsibility for the attack on their Facebook, Twitter and Youtube accounts:

“The website of the European Court of Human Rights, who wanted Selahattin Demirta aş’s release, has been closed due to our attacks. We are not opening the site until they make an apology statement!”

As of the time of writing, the site is still unavailable. It is unknown which type of attack took place, but given Anka Neferler Tim’s history, it’s most likely a DDoS attack.

The European Court of Human Rights provided this statement:

“Following the delivery of the Selahattin Demirtas v. Turkey (no. 2) judgment on 22 December, the website of the European Court of Human Rights was the subject of a large-scale cyberattack which has made it temporarily inaccessible. The Court strongly deplores this serious incident. The competent services are currently making every effort to remedy the situation as soon as possible.”

The Good, the Bad and the Ugly in Cybersecurity – Week 51

The Good

This week, law enforcement in India arrested over 50 individuals in Delhi based on their ties to a global call-center scam operation.

It is alleged that the individuals involved scammed over 4,500 victims out of more than $14 million. The aggressive scammers would contact their victims via phone and proceed to extort funds from them in the form of bitcoin (BTC) or gift cards. The scam involved telling victims that their personal details had been found at a crime scene or that their banking details were being used in some illegal activity. The attackers would then inform the victims that the only way to ‘safeguard’ their money was to transfer funds to specific bitcoin addresses or to buy and transfer gift cards.

Investigators from the Delhi Police Cyber-Crime Unit (pictured below) were able to trace scammed funds from victims in the USA and other countries back to the group in India. The cybercrime unit have also dismantled 25 other scammy call-centers this year. Let’s have a round of applause for these guys!

There’s also some good news associated with the ongoing SolarWinds situation. FireEye, in cooperation with Microsoft and others, have implemented a “kill switch” to prevent ongoing operation of the SUNBURST malware. According to their public statement:

“Depending on the IP address returned when the malware resolves avsvmcloud[.]com, under certain conditions, the malware would terminate itself and prevent further execution. FireEye collaborated with GoDaddy and Microsoft to deactivate SUNBURST infections.
“This killswitch will affect new and previous SUNBURST infections…However, in the intrusions FireEye has seen, this actor moved quickly to establish additional persistent mechanisms to access to victim networks beyond the SUNBURST backdoor.”

We encourage all to keep up to date with the SentinelOne blog for ongoing details around SolarWinds.

The Bad

SystemBC, discovered in 2018, has become a prolific presence in the armoury of attackers across the spectrum of sophistication. Initially, the tool was used to obfuscate or mask command and control traffic by way of SOCKS5 proxies. Early on, the tool was seen in tandem with many financially-focused campaigns involving banking trojans.

This week brought wider attention to the use of SystemBC after it was found to be used in conjunction with common ransomware attacks. According to the recent reports, well-established groups (e.g., Egregor, Ryuk) are using SystemBC for deployment purposes, complementing the use of other commodity malware such as Zloader, BazarLoader & Qot.

These more recently discovered implementations expand the scope of the tool. Attackers can now leverage SystemBC as a persistent backdoor with near-RAT-like levels of functionality. More importantly, it allows for redundancy in the attackers methods of persistence. Attackers will often utilize SystemBC alongside Cobalt Strike and similar frameworks. This opens up more options for post-exploitation activity and, again, can strengthen persistence.

One of the main takeaways from this is the ‘layered approach’ that modern attackers are taking. Just as we encourage a layered, defense-in-depth approach to enterprise security, threat actors are similarly looking at multi-pronged strategies such that if one delivery method fails or payload is detected, they have a different version that they hope won’t be.

Proper cyber hygiene, EDR and strong cloud workload protection are crucial, but as always, these incidents serve to remind us that these controls must also be properly maintained and properly configured.

The SentinelOne Singularity Platform is capable of autonomously detecting and preventing artifacts and behavior associated with SystemBC.

The Ugly

The most impactful story of the week goes to the SolarWinds compromise. In short, SolarWinds provides a host of IT services for a far-reaching set of global customers. This includes management and monitoring of servers, endpoint systems, database management, help desk service systems, and just about anything else you can imagine in that domain. Moreover, their client base is a ‘who’s who’ of high-value targets. As a direct result of this breach, it has already been confirmed that the United States Treasury, Department of Commerce, the Department of Homeland Security and FireEye were also compromised.

A joint-statement from the FBI, ODNI, and CISA was issued on December 17 confirming the scope and apparent origin of the attacks. In addition, CISA released a highly-detailed NCSA Alert AA20-352A) on December 17th, which covers the more technical side of the attack including Indicators of Compromise (IoCs) and links to associated resources. The alert also documents the specific versions of malicious SolarWinds Orion products observed in association with the attack.

Orion Platform 2019.4 HF5, version 2019.4.5200.9083
Orion Platform 2020.2 RC1, version 2020.2.100.12219
Orion Platform 2020.2 RC2, version 2020.2.5200.12394
Orion Platform 2020.2, 2020.2 HF1, version 2020.2.5300.12432Note: CISA has evidence of additional initial access vectors, other than the SolarWinds Orion platform; however, these are still being investigated. CISA will update this Alert as new information becomes available.

SentinelOne has released new hunting packs for Deep Visibility, allowing for specialized queries against IOCs associated with these events. We encourage all to keep up to date with the situation as it develops. Our team will continue to update the dedicated blog and resources as needed.

