EDR Process Sideloading to Conceal Malicious Activity

Initial access broker Storm-0249 has undergone a significant transformation, evolving from a mass phishing operation into a sophisticated threat actor that leverages legitimate Endpoint Detection and Response (EDR) processes to conceal malicious activity. This is achieved through sideloading techniques, making it appear as routine security operations.

This escalation in capabilities poses a critical risk to organizations that rely on traditional defense mechanisms, as it signifies a new level of complexity in the group’s tactics.

Researchers from ReliaQuest, in collaboration with SentinelOne, have documented how Storm-0249 exploits trusted signed executables, specifically SentinelOne’s SentinelAgentWorker.exe, to execute malicious payloads while evading detection.

The techniques used by Storm-0249 are adaptable to other EDR platforms, making this a cross-industry threat that requires immediate attention from security teams across various sectors.

The group’s recent attack methodology begins with a ClickFix attack, a social engineering technique that manipulates users into executing encoded commands via the Windows Run dialog. Once initial access is established, the attack unfolds through three coordinated phases.

The first phase utilizes curl.exe, a legitimate built-in Windows utility, to download malicious PowerShell scripts directly into memory from spoofed Microsoft domains. This approach bypasses signature-based antivirus solutions, as the malicious code never touches the disk.

The second phase involves delivering a trojanized MSI package that exploits Windows Installer’s SYSTEM-level privileges. The package contains a malicious DLL that impersonates a legitimate SentinelOne EDR component, strategically placed in the AppData folder, a location often excluded from rigorous security monitoring.

Legitimate and digitally signed SentinelAgentWorker executable loading a malicious DLL.
Legitimate and digitally signed SentinelAgentWorker executable loading a malicious DLL.

When the legitimate SentinelOne executable launches, it loads the attacker’s malicious DLL instead of the legitimate version, a technique known as DLL sideloading. This makes the attack appear as routine security software behavior, further complicating detection efforts.

Security Software Into an Attack Vector

The implications of Storm-0249’s ability to abuse trusted EDR processes are profound. By hijacking digitally signed executables, the group transforms security software into an attack vector, significantly escalating the threat level.

Network monitoring tools observe the compromised SentinelAgentWorker.exe establishing command-and-control communications to newly registered domains but trust the process because it remains allowed and digitally signed. The attackers encrypt C2 traffic with TLS, rendering it invisible to deep packet inspection and SSL inspection appliances.

SentinelAgentWorker reaching out to a malicious domain.
SentinelAgentWorker reaching out to a malicious domain.

This neutralizes a significant portion of traditional perimeter defenses, allowing operators to transmit malware encryption keys and payload instructions without detection.

Following initial compromise, Storm-0249 conducts reconnaissance using legitimate Windows utilities like reg.exe and findstr.exe to extract system identifiers, including MachineGuid. This data becomes critical for ransomware affiliates, as groups like LockBit and ALPHV use MachineGuid to bind encryption keys to individual victim systems.

Defense Imperatives

By securing this information, Storm-0249 delivers pre-profiled targets to ransomware customers, dramatically reducing the time-to-ransom from weeks to days. Organizations must implement behavioral analytics to detect anomalies such as DLL sideloading, monitor DNS for newly registered domains, and enforce strict controls on legitimate tools like curl.exe and PowerShell.

Automated incident response playbooks that isolate compromised hosts, block malicious domains, and prevent the execution of known malicious hashes are essential. Storm-0249’s evolution demonstrates that traditional signature-based defenses are insufficient, and security teams must prioritize visibility into trusted processes, implement behavioral monitoring, and maintain network segmentation to disrupt these sophisticated attacks.

IOCs

Artifact Type Details
07c5599b9bb00feb70c2d5e43b4b76f228866930 SHA-1 Hash Malicious DLL named “SentinelAgentCore” (used for DLL sideloading)
423f2fcf7ed347ee57c1a3cffa14099ec16ad09c SHA-1 Hash Spear.msi (Malicious Installer)
krivomadogolyhp[.]com Domain C2 Domain
hristomasitomasdf[.]com Domain C2 Domain
hamcore[.]se2 File/Resource* C2 Domain (Likely a reference to SoftEther VPN configuration file or artifact)*
sgcipl[.]com Domain C2 Domain (Used for spoofed Microsoft domains)
178.16.52[.]145 IP Address Malicious IP Address
172.67.206[.]124 IP Address Malicious IP Address
Q bvDJ pccnW VkqW iZT

Related Articles

Back to top button