EDR Exploited for Stealthy Ransomware Attacks
▼ Summary
– The threat actor Storm-0249 uses stealthy methods like abusing EDR solutions and trusted Windows utilities to establish access and persistence for ransomware attacks.
– The attack begins with social engineering, tricking users into executing commands that download a malicious MSI package and a PowerShell script that runs in memory to evade detection.
– The attacker strategically places a malicious DLL alongside a legitimate SentinelOne EDR executable, then uses DLL sideloading to run their code within the trusted, privileged process.
– Once inside, the attacker uses the compromised EDR process to collect system data and communicate via encrypted C2 traffic, making malicious actions appear as routine security activity.
– To counter such threats, researchers recommend behavior-based detection for unsigned DLLs loaded by trusted processes and stricter controls on tools like curl and PowerShell.
Cybersecurity professionals are facing a new and sophisticated threat as attackers weaponize the very tools designed to protect systems. A threat actor known as Storm-0249 is now exploiting endpoint detection and response (EDR) software and trusted Windows utilities to deploy malware, establish covert communication, and achieve persistence, all in preparation for devastating ransomware attacks. This shift from mass phishing to stealthier, advanced methods presents a significant challenge for defenders, even when the techniques are well-documented.
In a recent attack analyzed by ReliaQuest, Storm-0249 specifically manipulated components of the SentinelOne EDR platform to conceal malicious actions. Researchers emphasize, however, that this exploitation method is not unique to a single vendor and could potentially work against other EDR products. The intrusion began with a clever social engineering ploy called ClickFix, which duped users into pasting and executing curl commands within the Windows Run dialog. This action downloaded a malicious MSI package with elevated SYSTEM privileges.
A malicious PowerShell script was simultaneously fetched from a domain impersonating Microsoft. Crucially, this script was piped directly into the system’s memory, never saving to the disk, which allowed it to slip past traditional antivirus scans. The downloaded MSI file then deployed a rogue DLL file named SentinelAgentCore.dll. Investigators noted that this DLL was strategically placed next to the legitimate SentinelAgentWorker.exe file, a core component of the victim’s existing SentinelOne EDR installation.
The attacker then performed a DLL sideloading maneuver, using the signed and trusted SentinelAgentWorker executable to load the malicious DLL. This executed the attacker’s code within the privileged EDR process, granting both stealth and persistence that could survive operating system updates. “The legitimate process does all the work, running the attacker’s code, appearing as routine SentinelOne activity to security tools and bypassing detection,” the ReliaQuest report explains.
Once established, the compromised SentinelOne component was used to gather system identifiers. It leveraged legitimate Windows utilities like reg.exe and findstr.exe to perform this reconnaissance and to funnel encrypted HTTPS command-and-control traffic. While registry queries and string searches would typically trigger security alerts, they went unnoticed because they originated from within a trusted EDR process, which monitoring systems treat as routine.
The attackers profiled compromised systems using the ‘MachineGuid,’ a unique hardware-based identifier. Ransomware groups like LockBit and ALPHV commonly use this identifier to bind encryption keys to specific victims, making recovery without the attacker’s cooperation nearly impossible. This profiling indicates that Storm-0249 is conducting initial access breaches specifically tailored for its primary clients: ransomware affiliates.
This abuse of signed, trusted EDR processes effectively bypasses nearly all conventional security monitoring. To counter these tactics, researchers advise system administrators to implement behavior-based detection strategies that can flag trusted processes when they load unsigned DLLs from non-standard file paths. Additionally, establishing stricter execution controls for tools like curl, PowerShell, and various Living-off-the-Land Binaries (LoLBins) can help limit an attacker’s ability to leverage legitimate system functions for malicious purposes.
(Source: Bleeping Computer)
