threat intelligence spotlight: hunting evasive malware...• exploiting user behavior: tricking...

Hunting Evasive MalwareThreat Intelligence Spotlight:

3 EXECUTIVE SUMMARY

4 INTRODUCTION: A SHIFTING PLAYING FIELD

4 The perimiter is no more

4 Attackers exploit users

5 MALWARE TRENDS IN 2020

5 Notable threats from incidents investigated in 2020

8 Dishonorable mentions: Checking in on other notables

10 EVASION STRATEGIES

10 User Execution

11 LOLBin abuse

14 CONCLUSIONS AND RECOMMENDATIONS

15 REFERENCES

Table of Contents

3Threat Intelligence Spotlight: Hunting Evasive Malware © eSentire and VMWare Carbon Black July 2020

Executive Summary

It is not an exaggeration to say that endpoint protection is more important today than ever before.

Cybercrime operations have adapted to take advantage of the business disruptions that have characterized the

first half of 2020. A global pandemic, workforce shifts to home workstations and rapid migration to more cloud

services to support that shift have altered threat surfaces, placing emphasis on endpoint and cloud security.

The result is that an organization’s network footprint is now dispersed globally across interacting systems and

technologies.

Threat actors, showing their usual agility, have shifted efforts to target remote workers and take advantage

of current events. Because today’s networks have more sophisticated automated defenses than ever before,

attackers are turning to:

• Exploiting user behavior: tricking users into opening and executing a malicious file, going to a malicious

site or handing over information, typically using lures that create urgency (e.g., by masquerading as

payment and invoice notifications) or leverage current crises and events

• Leveraging trusted operating system tools (living-off-the-land binaries, aka LOLBins) and abusing the

capabilities of binaries and processes to achieve malicious goals (e.g., perform domain reconnaissance,

establish persistence, escalate privileges, etc.)

When used in combination, as is frequently the case, these techniques are effective at bypassing automated

defenses to gain initial access. In fact, the majority of successful bypass incidents we observe result from these

tactics. Similar attacks will continue to pose a significant threat throughout 2020: examples in the first half of the

year include Zloader, Valak, SocGholish and More_eggs.

In an incident observed by eSentire in May, a new Zloader variant successfully dropped Silent Night, which then

proceeded to perform domain reconnaissance. This lateral movement activity was detected and traced back to

initial access (Zloader), which had entered the organization through email, hidden in a malicious document that

included a novel LOLBin abuse technique. Upon discovery of the technique, eSentire’s threat response teams

developed and deployed detection across the endpoint customer base.

The challenge in developing automated defenses against user execution and LOLBins is that these activities

in isolation do not indicate intent. It is only when considering the larger context of the action or execution that

the malicious intention becomes clear—and that is why threat hunting is so important. Through continuous

and collaborative research, threat hunters can distinguish between legitimate and malicious use of tools and

processes, which is a necessary precursor to defining automated methods that reliably detect endpoint threats.


Introduction: A Shifting Playing Field

By shining a light on cyberthreats, we want to bring data and insights to conversations that can be dominated

by opinion and guesswork. By citing background evidence, links to external sources, high-level overviews and

incident anecdotes in this report, we aspire to raise the level of understanding of cybersecurity, particularly for

leaders tasked with making cybersecurity-related decisions.

The first half of 2020 was eventful, to say the least. The COVID-19 pandemic swept the globe and civil rights

demonstrations filled streets and squares worldwide. Unfortunately for businesses and their employees,

attackers are adept at seizing the opportunities created by chaos, distractions and top-of-mind topics.

The perimeter is no more

When the pandemic struck, it accelerated two trends that had already been underway for quite some time.

First, by forcing widespread adoption of work from home (WFH), one result of the pandemic is that traditional

security perimeters are all but disappearing—or, at the very least, evolving. In the not-too-distant past, most of an

organization’s devices and systems—including its many endpoints—were located on a trusted network behind a

perimeter consisting of firewalls, IDS/IPS and other security solutions. Those days are over.

Second, widespread adoption of cloud-based services was well underway before the pandemic. But the

associated benefits of increased flexibility and reduced management overhead become even more valuable

as employees around the world went home to work. However, with that shift, important applications and

services are no longer housed in a secure data center, behind layers of security that were built and controlled

by the organization.

Additionally, the convenience of the cloud has made disposable, anonymous and trusted infrastructure available

to threat actors—a development which was examined in the 2019 eSentire Annual Threat Intelligence Report.

Attackers exploit users

Each of these trends has serious consequences for an organization’s cybersecurity posture and strategy;

combined, they’re disruptive. Plus, threat actors have adjusted tactics to target unsuspecting home office

workers in an attempt to gain access to corporate networks and valuable data. For instance, attackers have

increased use of Zoom, WebEx and other video conferencing phishing lures in response to the work-from-

home trend.1

Additionally, TrickBot campaigns have adopted themes relating to the Black Lives Matter movement, continuing

a long-favored strategy of leveraging current events to nudge users toward opening malicious documents.2

Unsurprisingly, COVID-themed messages are also in use.3


Malware Trends in 2020

Despite the wide variety of functional purpose found within the malware ecosystem, the process by which

endpoints become compromised is fairly universal:

• Infection: Via one or more of a wide variety of mechanisms (e.g., malicious attachment, network service

exploit, infected USB, drive-by-download, etc.) an endpoint is compromised; often a piece of “Dropper”

or “Delivery” malware is downloaded onto (or inserts itself into) an endpoint to establish a beachhead.

In some cases, internet-facing servers are exploited to install malware through remote code execution

• Instruction: Now established, the malware reports a new infection to the associated command-and-

control infrastructure and receives instructions, additional malicious code or functional components.

In sophisticated attacks, this process can involve a human operator who is now armed with any context

and credentials acquired during the initial attack

• Propagation: In parallel, the malware often attempts to spread to additional hosts; as before, it uses one or

more of a long list of techniques (e.g., Common Internet File System/Server Message Block vulnerabilities;

harvesting credentials from web browsers, email clients or the operating system itself). In sophisticated

attacks, this step is performed carefully and quietly by manual operators (particularly in the case of

ransomware deployment, where signaling the user of compromise is an explicit step)

The potential to stop malware delivery in its tracks—or at least to detect it quickly, thereby triggering automated

responses and manual intervention to prevent widespread infection—is a major reason why endpoint protection

is a crucial part of any effective defense-in-depth strategy.

Notable threats from incidents investigated in 2020

Our investigations in the first half of 2020 show the following malware threats to be especially noteworthy.

Silent Night and Zloader

Zloader is a downloader module originally created in 2016 to download the Zeus banking Trojan. In the years

since, Zloader has disappeared and reappeared repeatedly as its authors make modifications and defenses are

updated in response.

In May 2020, while researching living-off-the-land binary (LOLBin) domain reconnaissance tactics, eSentire’s

threat hunters investigated a customer event and traced the initial access back to Zloader.

After this discovery, further research revealed additional tactics, techniques and procedures (TTPs), which

allowed the team to hunt and deploy detection rules across our client base, revealing additional incidents from

April 2020 that were attributable to Zloader.


In each incident, initial access leveraged either email attachments or drive-by downloads of malicious payloads.

A typical attachment-based infection workflow is:

• The victim receives an email using a topical lure (e.g., invoice/payment, COVID-19)

• The email contains a password-protected malicious Excel file

• The victim opens the Excel file

• The Excel file executes the malicious payload using Excel 4.0 formulas

The primary goal of these macros is, ultimately, to install the Silent Night banking Trojan, which first appeared in

November 2019. On May 21, Malwarebytes released a comprehensive investigation into Silent Night and Zloader,

and we highly recommend the report.4

Interestingly, a 12-month search of the joint eSentire and VMware Carbon Black customer base showed 190

hashes for Silent Night and only seven for Zloader. The most probable explanation is that Silent Night is more

easily detectable by automated defenses (recall that we wrote a custom detection for Zloader).

Valak

Until recently, Valak was a basic dropper for other malware, but in the first half of 2020 approximately 30

different Valak variants were identified, with improving capabilities such as reconnaissance and information theft.

We directly observed several incidents in the second half of May and have seen three Valak hashes in the last 12

months.

Researchers have observed some overlap between Valak, Gozi and Ursnif, but the exact nature of the

relationship between threat actors is unknown.

Like Zloader, the most common infection vector is a malicious Microsoft Office document (most frequently Word,

housed in a Zip archive and arriving via email), which leverages macros. The Word macro retrieves the payload

and persists via a scheduled task. Also like Zloader, Valak attempts to profile the network using tools within the

operating system and particularly targets domain administrators and Microsoft Exchange.

SocGholish

SocGholish is a JavaScript-based attack framework known for using fake browser and software updates as a

method of entry.

Throughout the first half of 2020, SocGholish utilized fake Chrome updates to gain initial access. After

establishing a foothold, the malware was often found executing domain discovery commands, enumerating

domain administrator accounts and attempting to establish a reverse shell—an indication of a shift to manual

threat actor operation.

In some cases, the malware’s operators attempted to deploy Cobalt Strike, a sophisticated lateral movement

tool. No ransomware deployment was observed directly by the eSentire team, but reports from external sources

indicate a potential business relationship between SocGholish operators and WastedLocker ransomware. 5

In an extensive threat intelligence blog posted on June 25, Symantec’s Critical Attack Discovery and Intelligence

Team wrote that, “Once the attackers gain access to the victim’s network, they use Cobalt Strike commodity

malware in tandem with a number of living-off-the-land tools to steal credentials, escalate privileges, and move

across the network in order to deploy the WastedLocker ransomware on multiple computers."

Malware Trends in 2020 (cont.)


More_eggs

More_eggs is a JavaScript backdoor used by the Cobalt Group and FIN6.

While VMware Carbon Black and eSentire have observed fewer instances (two) of More_eggs than we have of

the other malware specifically mentioned in this report, More_eggs warrants attention because the Cobalt Group

is a longstanding and successful threat actor.

Additionally, More_eggs is notable because initial access employs a somewhat unique LOLBin exploit (an

AppLocker bypass technique using the msxsl utility), which is further evidence that threat actors continually

develop, experiment with and roll out new techniques.

Maze

The Maze ransomware group has been very active in the first half of 2020, with evidence suggesting a string of

successful attacks against Cognizant, WorldNet Telecommunications and LG Electronics. In the attack against LG,

which was announced in late June, Maze purports to have stolen 40 GB of source code (Figure 1).6

eSentire observed a single Maze incident in May, and in the last 12 months, we have observed seven

Maze hashes.

Reconnaissance, lateral movement and hands-on-keyboard ransomware

Another notable trend is that initial access malware increasingly includes some domain reconnaissance

capabilities. The examples profiled above have some combination of collection/infostealing and reconnaissance

(e.g., keyloggers, password scrapers, domain scanners) capabilities. Consequently, they could lead to serious

breaches through the installation of backdoors, credential theft and spreading laterally throughout a network.

Once a domain is compromised, it can be maintained for technological and personnel espionage, sold on the

black market or—as is often reported in the news headlines—converted into a ransomware operation.

As predicted in the 2019 eSentire Annual Threat Intelligence Report, an increase was observed in cooperation

between ransomware actors and iInitial access actors. Hypothetically, the initial access actors establish

a foothold and perform reconnaissance activities to prepare for the introduction of hands-on-keyboard

ransomware, but the details and nature of such relationships is not well understood.

Figure 1—Like many ransomware operators, Maze posts teasers and proof of compromise as incentives for victims to pay the recovery ransom; the evidence in this case suggests the source code relates to telecom operator AT&T.



These sophisticated, targeted operations require much more manual effort and attention and so earn the

qualifier of “hands-on-keyboard.” Legacy ransomware opportunistically infected individual users, largely

through automated means including malicious emails and drive-by downloads; however, automated spreading

mechanisms were often inefficient and functioned poorly in comparison to the modern approach. Today’s

ransomware combines automated reconnaissance with a human operator at the keyboard. A rational actor

with domain control has more agility than automated malware and can quickly work around security controls to

establish backdoors, scrape high-value information and facilitate speedy ransomware deployment.

As a last line of defense against ransomware—and domain compromise, in general—we recommend businesses

maintain frequent secondary and redundant backups of all essential systems and files either offline or in a

segregated environment, extending back for a long period (as ransomware and other persistent malware can lie

dormant for many months).

Additionally, because hands-on-keyboard ransomware is being introduced manually, the dwell time before

activation is growing—giving managed detection services an advantage in detecting threats prior to encryption.

Dishonorable mentions: Checking in on other notables

Through observation and proactive research, we monitor ongoing and emerging threats, but we can’t help but

pay particular attention to those threats that have a proven or recent track record.

TrickBot and Ryuk

TrickBot is a modular infostealer, which has primarily been used to target banking sites and has worked

in concert with Emotet and Ryuk to wreak havoc. The eSentire Annual Threat Intelligence Report for 2019

mentioned TrickBot 15 times. It has attained infamy as arguably the first widespread example of a linkage

between opportunistic mailspam and manual ransomware (Ryuk).

2020 paints a different picture: while we observe TrickBot and Ryuk at a very high frequency (Figure 2), for the

time being it is very rare that they manage to evade defenses. Notably, both of these pieces of malware are

always being tweaked. In the last year, VMware Carbon Black has observed 25 unique hashes for Ryuk and more

than 900 for TrickBot.

Figure 2—A count of the number of observations of different malware families from July 2019 through June 2020 shows enormous variation (note the logarithmic scale).



REvil (Sodinokibi)

REvil is believed to be run by the same actors who operated the GandCrab ransomware (GandCrab was shut

down shortly after REvil appeared). REvil employs a diverse group of techniques to gain access, including

malicious emails, compromised MSPs, exploit kits, scan-and-exploit techniques, RDP servers and backdoored

software installers. To increase the difficulty of restoring files without paying a ransom, REvil searches for

back-ups and shadow copies of files and deletes them.

As Figure 2 shows, REvil remains very active, but—like TrickBot and Ryuk—successful attacks are relatively rare

(we directly observed one incident at the beginning of April).

Dridex

Dridex is a banking Trojan that has evolved over the last decade, gaining new features including dynamic

configuration, web injections and infecting connected USB devices. In 2019, Dridex also gained new evasion

techniques, including a transition to XML scripts, hashing algorithms, peer-to-peer encryption and peer-to-

command-and-control encryption.

In mid-2019, a new variant of Dridex was spotted, which uses an application whitelisting technique to bypass

mitigation via disabling or blocking of Windows Script Host.7 The technique takes advantage of WMI

command-line (WMIC) utility’s weak execution policy around XLS scripts.

The most common initial access workflow we have observed with Dridex in recent months is to arrive in an email

(commonly presented as an invoice or overdue payment) containing a link to a Zip archive, which itself contains a

VBscript (.vbs file) requiring user execution.

PowerShell Empire

PowerShell Empire (Empire) is a post-exploitation framework available on GitHub and identified by the UK’s

National Cyber Security Centre (NCSC) in their joint report on publicly available hacking tools.8

Empire is often seen as an intermediate phase in ransomware attacks, succeeding the initial access malware to

enable the lateral movement, which precedes widespread activation of encryption.



Evasion Strategies

Today’s networks are better defended than ever before when it comes to foreign executables being delivered

directly to organizations, forcing threat actors to adopt a combination of user execution and LOLBin abuse to

bypass perimeter controls. In fact, most of the incidents in which we observe successful bypass of antivirus result

from these techniques.

Until automated security measures can reliably detect these techniques, the cybersecurity community will continue

to depend upon human-led threat hunting (as distinct from automated tools) and rapid organization responses.

User execution

User execution is employed as a means of bypassing automated security measures and remains an effective

tactic for threat actors. The overwhelming majority of such events leverage email attachments and links to

malicious files, although drive-by downloads do happen and can be impactful, as observed with SocGholish.

A common tactic in the incidents we directly observed was the use of Zip archives to hide a weaponized

Microsoft Office document. These Zip files are either attached to an email directly or are served via a link

within the email. When attached directly, the Zip files may be password-protected to bypass email attachment

scanners.

Upon opening the Zip archive, the user typically finds a Word or Excel file masquerading as an invoice, a

purchase order or some other business-related file.

These files generally include malicious formulas and macros; if permitted to execute, then simply opening the file

can unwittingly grant an attacker initial access.

Because many organizations have controls in place, it’s common to see instructions (masquerading as a helpful

tip or direction) contained within the documents which explain to the victim how to enable macros.

Figure 3—Attackers encourage users to unwittingly take unsafe actions. 9


A similar approach is employed to prompt users to open and execute malicious scripts files (e.g., .vbs, .js , .ps1)

to similar effect.

Another means of gaining initial access is to send the user to a malicious domain, where a browser vulnerability

can be exploited or the user can be tricked into executing malware masquerading as a software update (e.g., a

fake Flash or browser update, as is a common tactic with SocGholish).

As noted previously, threat actors are adept at adjusting their tactics to increase the appearance of legitimacy.

Figure 4 shows a Zoom lure that might appeal to remote workers; we have also directly observed COVID-19

(Zloader) and Black Lives Matter (TrickBot) lures.

LOLBin abuse

There are many mechanisms by which malware attempts to achieve actions on objective. Starting in 2016

and accelerating in 2017, attackers made a strategic shift and began widely employing “fileless” attacks.10 Also

referred to as “non-malware” attacks, fileless attacks leverage existing OS tools, software, permitted applications

and authorized protocols to carry out malicious activities—in contrast to relying upon a dedicated piece of

malware. It’s worth mentioning as a caveat that this technique is often used as an intermediate step to introduce

traditional malware (malicious executables), but more often these function as custom plug-ins introduced after

persistence and evasion measures have been implemented.

A particular trend we are closely monitoring and researching is the use of LOLBins. These are non-malicious

binaries and other trusted processes that attackers and malware abuse to hide malicious activity and to evade

defenses. Because these processes are trusted, it is very difficult to automate detection. The use of a binary isn’t

sufficient to identify an activity as malicious—instead, the context in which the binary is used (e.g., parent-child

relationships, mod loads, associated script files, user context) must be known to determine the intention behind

the execution.

Legitimate software developers, code-savvy system administrators and threat actors can all make use of

system tools in a variety of creative ways. Researching and separating these use cases demands manual—but

necessary—work for security teams to stay at the front of the evolving threat landscape and to address the

corresponding consequences for an organization’s threat surface.

Figure 4—Threat actors are adept at shifting their tactics; in this example, a Zoom lure attempts to trick the user into clicking on a malicious link.

Evasion Strategies (cont.)


Example: investigating a Zloader incident

Figure 5 shows the process tree for the first Zloader incident investigated in May 2020. Note that to gain initial

access, the malware leveraged a series of legitimate processes; these processes traced back to a malicious

Excel file, which was opened from within Microsoft Outlook after arriving in an email.

The Excel file relied on a convoluted collection of Excel 4.0 macros (as distinct from VBA macros) to pursue malicious objectives.

Excel 4.0 macros (also called XLM) were introduced in 1992, followed a year later by Visual Basic for Applications (VBA) macros in Excel 5.0. Despite their age, Excel 4.0 macros are still supported in recent Microsoft Office versions; unfortunately, they also provide many offensive opportunities for attackers. Moreover, because they are stored in a different way in Excel files than VBA macros, Excel 4.0 macros are more difficult to analyze.11

In this particular incident, the macros were obfuscated by arranging them in columns of integers that are converted to ASCII characters via the CHAR function.

Housed inside a hidden workbook, the macros ultimately combine to comprise a script which downloads a malicious DLL masquerading as an HTML file, presumably the SilentNight payload.

Figure 5—The process tree for the initial Zloader incident we observed.

Figure 6—This image, from Malwarebytes' deep-dive, shows how Zloader abuses Excel.



SilentNight was detected performing domainreconnaissance using operating system tools including net and

nltest. For example, it employed the command nltest /domain_trusts /all_trusts to generate a list

of all trusted domains, providing the attacker with information to aid in lateral spread.

We have seen the same tactic used by TrickBot, PowerShell Empire and now SocGholish. It’s also important

to note that, like the binaries in Figure 5, nltest and the corresponding /domain_trusts command are

legitimate tools relied upon by domain administrators, which complicates automating defenses.

Other process paths we observed include:

• Valak and Ursnif: Word macros → regsvr32 → wscript → malicious JavaScript

• More_eggs: Word macros → svchost → wmiprvse → (msxsl, cmstp, regsvr32)

Interrupting the lifecycle

A major focus of next-generation endpoint protection platforms is to detect and to stop the code execution

needed at each stage of the malware lifecycle—thereby preventing the threat from achieving its goals.

Customizable behavioral rules allow for granular control of whitelists for business operations while restricting

unapproved execution of potential threats, thereby achieving protection without interfering with legitimate

business processes and applications. System administrators can also enable macro controls (e.g., per user, per

application) and signing—attach a digital signature to trusted macros and disable unsigned macros—as defense

mechanisms.

Additionally, Microsoft Defender Advanced Threat Protection (ATP) allows use of attack surface reduction (ASR)

rules to target software behaviors that are often abused by attackers, such as:12

• Launching executable files and scripts that attempt to download or run files

• Running obfuscated or otherwise suspicious scripts

• Performing behaviors that apps don't usually initiate during normal day-to-day work



Conclusions and Recommendations

There’s no question that for the foreseeable future protecting distributed home offices must be a security priority.

And that’s a major reason why endpoint security is so important. But “security” can be an ambiguous term, so

we should be more specific. For an endpoint security strategy to be successful, it requires as a minimum two

functional components:

• Prevention, through next-generation antivirus (NGAV)

• Detection and response, to identify and contain threats that bypass defenses

The most effective way to deliver these functions is to run an agent directly on each endpoint, because doing so

provides unmatched visibility into and—vitally—control over the device’s activity. This approach fills in gaps and

re-strengthens the security posture by equipping security personnel with the tools needed to quickly investigate

threats and take decisive, difference-making action to isolate devices and stop malicious processes.

Importantly, no one knows with any certainty when social distancing measures will be relaxed; moreover, many

organizations are exploring (or have already announced) a permanent shift to a work-from-home model.13

So not only is it truly endpoint’s time to shine, but the investment has tremendous long-term value.

In addition to implementing a modern endpoint protection platform, organizations should pursue a

comprehensive defense-in-depth strategy:

• Recognize the limitations of antivirus solutions, and do not rely on antivirus alone to protect against modern

threats. Employ multiple endpoint solutions, with next-generation antivirus being one

• Because organizations with more distributed locations, systems and people are considerably more

vulnerable than those with only a small number of locations, take special care—especially during times of

aggressive growth or during sudden changes in remote work—to harden endpoints and exposed systems

(e.g., RDP servers)

• Most malware arrives through malicious email attachments or links, both of which exploit user behavior

to initiate the malicious activities. Organizations can attempt to mitigate this risk through regular

user awareness training (e.g., continuous simulated phishing exercises to assess effectiveness and

implementing a process for reporting/responding to suspicious emails) and technical controls

(e.g., implement spam filtering, URL rewriting and attachment sandboxing; only allow email attachments

containing trusted file types; restrict execution from temp directories, such as AppData)

• Because permissive application policies, or a failure or inability to enforce more restrictive policies,

contribute to increasing an organization’s vulnerability, leaders must support IT teams’ efforts to manage

applications and to enforce policies strictly


References

[1] https://www.proofpoint.com/us/threat-insight/post/remote-video-conferencing-themes-credential-theft-and-malware-threats

[2] https://www.bleepingcomputer.com/news/security/fake-black-lives-matter-voting-campaign-spreads-trickbot-malware/

[3] https://cyber.gc.ca/en/guidance/cyber-threat-bulletin-impact-covid-19-cyber-threat-activity

[4] https://blog.malwarebytes.com/threat-analysis/2020/05/the-silent-night-zloader-zbot/

[5] https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/wastedlocker-ransomware-us

[6] https://www.bleepingcomputer.com/news/security/lg-electronics-allegedly-hit-by-maze-ransomware-attack/

[7] James_inthe_box reported observations on June 13th; Brad Duncan posted detailed analysis on June 17th, in Malspam

with password-protected Word docs pushing Dridex

[8] https://www.ncsc.gov.uk/report/joint-report-on-publicly-available-hacking-tools

[9] This example is from https://www.virustotal.com/gui/file/

dcaded58334a2efe8d8ac3786e1dba6a55d7bdf11d797e20839397d51cdff7e1/detection

[10] For more information about fileless attacks, please see Carbon Black’s article What Is a Non-Malware (or Fileless) Attack?,

available at https://www.carbonblack.com/2017/02/10/non-malware-fileless-attack/

[11] For a longer explanation and examples, see Outflank’s blog post Old school: evil Excel 4.0 macros (XLM)

[12] https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction

[13] https://www.bloomberg.com/news/articles/2020-05-21/shopify-is-joining-twitter-in-permanent-work-from-home-shift

Threat Intelligence Spotlight: Hunting Evasive Malware © eSentire and VMWare Carbon Black July 2020

eSentire, Inc., founded in 2001, is the category creator and world’s largest Managed Detection and Response (MDR) company,

safeguarding businesses of all sizes with the industry-defining, cloud-native Atlas platform that removes blind spots and enables

24x7 threat hunters to contain attacks and stop breaches within minutes. Its threat-driven, customer-focused culture makes the

difference in eSentire’s ability to attract the best talent across cybersecurity, artificial intelligence and cloud-native skill sets. Its highly

skilled teams work together toward a common goal to deliver the best customer experience and security efficacy in the industry.

For more information, visit www.esentire.com and follow @eSentire.

VMware software powers the world’s complex digital infrastructure. The company’s cloud, app modernization, networking, security

and digital workspace offerings help customers deliver any application on any cloud across any device. Headquartered in Palo

Alto, California, VMware is committed to being a force for good, from its breakthrough technology innovations to its global impact.

For more information, please visit https://www.vmware.com/company.html

VMware and Carbon Black are registered trademarks or trademarks of VMware, Inc. or its subsidiaries in the United States and

other jurisdictions.

About eSentire:

About VMWare:

threat intelligence spotlight: hunting evasive malware...• exploiting user behavior: tricking...

Documents