Experiencing a Breach?

12 Months of Fighting Cybercrime | SentinelLabs 2020 Review

SentinelLabs came into being at the back end of 2019 as a means of providing value to the cyber security community by focusing on research and threat intelligence unavailable elsewhere. In an action-packed 13 months or so since then, we have published 65 posts on malware, ransomware, phishing campaigns, threat actors, software vulnerabilities and cybercrime fighting tools, and we have plenty more research and intelligence coming in 2021, too!

Looking back over the last 12 months, we have seen the cybercrime story unsurprisingly dominated by social engineering and malware campaigns themed around the COVID-19 pandemic. But there was also a lot of other things going on this year, from an explosion in RaaS (ransomware as a service) offerings and victim data exploitation with operators like Maze and Egregor, to a unique macOS ransomware/spyware campaign and, notably, the SUNBURST SolarWinds Orion supply chain attack.

Of course, you can catch up on all our research and threat intelligence posts over at SentinelLabs, but for a quick recap on some of the main highlights, take a scroll through our 2020 timeline below.

January

Following on from SentinelLabs’ groundbreaking discovery of the TrickBot Anchor malware at the end of 2019, our first research post of 2020 broke news of a new TrickBot backdoor called “PowerTrick”. Built for stealth, persistence and reconnaissance, PowerTrick is deployed inside infected high-value targets such as financial institutions.

Top-Tier Russian Organized Cybercrime Group Unveils Fileless Stealthy “PowerTrick” Backdoor for High-Value Targets

February

North Korean cybercrime actors, specifically the Lazarus group (aka ‘Hidden Cobra’), have a long and storied history of destructive cyber attacks. 2020 was no different for the APT group, with campaigns targeting macOS as well as the Windows platforms. SentinelLabs rounded up a collection of this adversary’s toolsets, including Bistromath, Hoplight, Slickshoes and more.

DPRK Hidden Cobra Update: North Korean Malicious Cyber Activity

March

TA5050 is crimeware group that has been around since at least 2014 and associated with a variety of advanced malware families, including Dridex, FlawedAmmyy, SDBot, TrickBot and Get2, a downloader used to deliver any of the above (and others). SentinelLabs developed a unique unpacker for the crypter used to obfuscate Get2 DLLs utilizing SMT.

Breaking TA505’s Crypter with an SMT Solver

April

More generally known as a banking malware trojan, the IcedID botnet was also deployed during 2020 to take advantage of the COVID-19 pandemic and to engage in a spot of tax fraud. SentinelLabs was the first to uncover how the infamous IcedID botnet uses social engineering and custom PowerShell uploaders to steal documents related to the victim’s identity and tax returns.

IcedID Botnet | The Iceman Goes Phishing for US Tax Returns

May

Understanding how APT actors operate is key to protecting your organization. SentinelOne’s Vigilance MDR team revealed how their Incident Response procedure uncovered an APT actor’s entry point, lateral movement, and persistence mechanisms.

The Anatomy of an APT Attack and Cobalt Strike Beacon’s Encoded Configuration

June

This year, NetWalker ransomware, like many others, evolved into a RaaS (ransomware as a service) offering and also incorporated data leakage extortion into its repertoire. SentinelLabs revealed affiliate preconditions, technical details, and victim exploitation associated with the NetWalker RaaS.

NetWalker Ransomware: No Respite, No English Required

July

A rare case of ransomware came to the macOS platform in 2020, variously called ‘EvilQuest’, ‘ThiefQuest’ and ‘MacRansom.K’. SentinelLabs researchers were the first to reverse the encryption routine used in the malware and to release a public decryptor for any unfortunate victims.

Breaking EvilQuest | Reversing A Custom macOS Ransomware File Encryption Routine

August

Right up until August, Maze was one of the most widespread and successful ransomware threats out there. Maze’s success can in part be attributed to the fact that attacks are customized by human operators to exploit the particular environment of victims. SentinelLabs caught one in action and detailed the attacker’s moves.

Case Study: Catching a Human-Operated Maze Ransomware Attack In Action

September

From the earliest months of the pandemic, threat actors exploited the COVID-19 coronavirus in multiple ways. This rolling blog post began in February and details the phishing campaigns and other social engineering lures seen by SentinelLabs throughout the year.

Threat Intel | Cyber Attacks Leveraging the COVID-19/CoronaVirus Pandemic

October

In October, CISA released an urgent advisory warning that cybercriminals were targeting the Healthcare and Public Health (HPH) sector with Ryuk and Conti ransomware. The threat actors relied heavily on Anchor, a Trickbot derivative, as a loader to infect victims, and leveraged both DNS tunneling and ICMP for C2 communications. SentinelLabs was the first to uncover and reverse the ICMP component of the Anchor module.

Anchor Project for Trickbot Adds ICMP

November

Widely-believed to be the successor to the Maze ransomware, Egregor appeared around mid-September and has already been associated with cyberattacks against GEFCO and Barnes & Noble, Ubisoft, and numerous others. SentinelLabs detailed its payload, leveraging of Cobalt Strike and Rclone, and its post-compromise behavior.

Egregor RaaS Continues the Chaos with Cobalt Strike and Rclone

December

The final month of 2020 revealed that a nation-state actor had been running a campaign since at least April via what may turn out to be one of the most damaging supply chain attacks of all time, the compromise of SolarWinds Orion, first detected in the environment of cyber security outfit FireEye. While we were able to validate that no SentinelOne customers were victims of this wide-ranging breach, many others were not so lucky and the fall out from SUNBURST is likely to continue into 2021. SentinelLabs took a look inside the SUNBURST backdoor and the dropped SUPERNOVA webshell trojan.

SolarWinds | Understanding & Detecting the SUPERNOVA Webshell Trojan

Conclusion

2020 turned out to be a busy twelve months for all those involved in fighting cybercrime, and for SentinelLabs’ researchers, there was no shortage of threats and threat intelligence to keep on top of. And of course, we’ll be right there with you throughout this coming year and beyond.

To all, we wish a happy and secure New Year and 2021. Ensure that you keep your organization, endpoints, network and cloud infrastructure safe with SentinelOne’s award-winning Singularity platform, and keep your security team up-to-date with SentinelLabs’ original and timely research.


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security