Ddos 
A notorious initial access broker (IAB) known as “Storm-0249” has radically shifted its tactics, moving from broad phishing campaigns to surgical strikes that weaponize the very tools designed to protect networks. A new report from the ReliaQuest Threat Research Team reveals that the group is now abusing legitimate Endpoint Detection and Response (EDR) processes—specifically components of SentinelOne—to cloak their activities and pave the way for ransomware attacks.
The group’s most alarming new technique involves a method known as DLL sideloading. According to ReliaQuest, Storm-0249 distributes malicious MSI packages via phishing, often employing “ClickFix” social engineering tactics that trick users into running commands to “fix” a fake technical issue.
Once executed with SYSTEM privileges, the installer drops a legitimate, digitally signed version of SentinelAgentWorker.exe—a core component of SentinelOne’s security agent—into a user’s AppData folder. Alongside it, they place a malicious file named SentinelAgentCore.dll.
“When the SentinelOne binary brought along by the attacker launches, it loads the malicious DLL instead of the legitimate one sitting next to it,” the report explains.
This effectively turns the security tool into a Trojan horse. To network defenders, the activity appears to be routine EDR operations, allowing the attackers to bypass signature-based detection and establish encrypted command-and-control (C2) channels disguised as legitimate telemetry.
ReliaQuest emphasizes that this does not indicate a vulnerability in SentinelOne itself. “Legitimate processes within common EDR tools, including SentinelOne, are not exploited, bypassed, evaded, or impaired with the techniques described herein”. Instead, the attackers are abusing the trust placed in signed binaries.
Beyond sideloading, Storm-0249 is “living off the land” (LoL) by abusing built-in Windows utilities to evade detection. The group creates spoofed domains that mimic Microsoft URLs (e.g., /us.microsoft.com/) to fool users and security filters.
They then use curl.exe—a standard tool for data transfer—to fetch malicious scripts and pipe them directly into PowerShell’s memory. “Instead of saving the script to disk where antivirus might catch it, the command pipes the content directly into PowerShell’s memory for immediate execution,” creating a “fileless” attack chain that leaves minimal forensic evidence.
The ultimate goal of these intrusions is to sell access to ransomware gangs like LockBit and ALPHV. The report notes that Storm-0249 conducts specific reconnaissance to extract the MachineGuid, a unique system identifier.
“By tying encryption keys to MachineGuid, attackers ensure that even if defenders capture the ransomware binary or attempt to reverse-engineer the encryption algorithm, they cannot decrypt files without the attacker-controlled key”. This pre-attack profiling “accelerates the time-to-impact” for ransomware affiliates, reducing their timeline from weeks to days.
With attackers hiding behind trusted processes, traditional defenses are struggling to keep up. ReliaQuest advises organizations to move beyond simple allow-listing and implement behavioral analytics.
Defenders should monitor for:
- Anomalous Sideloading: Legitimate binaries loading DLLs from unusual locations like AppData.
- Suspicious Traffic: Connections to newly registered domains originating from trusted EDR processes.
- LoLBin Abuse: Unexpected use of curl.exe or reg.exe by security agents.
“Storm-0249’s observed techniques are easily adaptable to other EDR platforms, making this a cross-industry concern,” the report warns, urging security teams to act before these stealthy footholds escalate into full-scale ransomware events.
Related Posts:
- SentinelOne Unveils: The Hidden Dangers of npm in Business Security
- Cybersecurity Vendors Under Siege: A Deep Dive into Real-World Attacks
- Operation Digital Eye: Chinese APT Exploits Visual Studio Code Tunnels in High-Stakes Espionage Campaign
- BlueNoroff’s New MacOS Threat: “Hidden Risk” Targets Crypto Enthusiasts
Donate