WebBrowserPassView, Process Hollowing, and LotL Tool Abuse

Between April 10-17, 2024, Blackpoint’s Security Operations Center (SOC) responded to 171 total incidents. These incidents included 15 on-premises MDR incidents, five (5) incidents for Cloud Response for Google Workspace, and 151 Cloud Response for Microsoft 365 incidents, with confirmed or likely threat actor use of:

• WebBrowserPassView[.]exe for user credential access
• Process hollowing with Remote Desktop Manager for defense evasion and lateral movement
• Remote management tools, with whoami and net[.]exe, for lateral movement and discovery

In this blog, we’ll dive into the details behind these select incidents, including why they’re important for partners to account for today – even if they’ve not been attacked yet! – as well as possible mitigations leveraging your current tech stack and Blackpoint Cyber.

Return to Top

WebPassView Incident with Technology Partner on April 13, 2024

Topline Takeaways

• Industry target: Technology
• Attacker information:
  • WebBrowserPassView[.]exe
  • Executables “mGQBuF0bRoT7[.]exe” and “ckkjim[.]exe”
  • Scheduled task “{0518F63D-FBD5-42D0-B3DE-B161F38D6BA2}”
• Was AV / EDR present?
  • Yes
• Threat assessment for partners:
  • The Adversary Pursuit Group (APG) predicts that it is very likely that threat actors will continue to use locally installed and whitelisted software applications such as WebPassView to exploit technology-related and other organizations over the next 12 months.
• Recommended remediations and mitigations:
  • Heuristics-based activity monitoring and remediation
  • Password managers
  • Regularly audit both environment and endpoints
  • Multifactor authentication (MFA)

WebPassView Incident Timeline for April 13, 2024

• 12:44 p.m. ET: Blackpoint’s Managed Detection and Response (MDR) alerted to malicious activity of a local user account using WebPassView. The SOC noted a custom and/or renamed process, “mGQBuF0bRoT7[.]exe,” spawning WebBrowserPassView[.]exe – a password recovery tool. Additionally, the SOC identified several callouts to malicious public IP addresses – likely to retrieve additional malicious executables – including “ckkjim[.]exe,” as well as a scheduled task, likely for persistence.
• 12:49 p.m. ET: An MDR analyst escalated the incident to senior leadership.
• 12:50 p.m. ET: The senior MDR analyst isolated the impacted endpoints from all external and internal communications.
• 12:52 p.m. ET: The SOC made contact with the partner about the incident and provided additional remediation advice.

While this incident was not linked to any particular malware, the hash of “ckkjim[.]exe” (A0F23826E32F036FC93824C2D88106706C39B790AB5A5AA1EDCAAEE9904C8ACD) has been linked to the Quasar RAT malware (1). Quasar RAT is an open-source remote access trojan (RAT) that maintains the ability to steal passwords via keyloggers, take screenshots, establish a reverse proxy, and download additional payloads (2).

More About WebPassView

WebBrowserPassView[.]exe is a password recovery tool that reveals the passwords stored by multiple web browsers, including Internet Explorer, Mozilla Firefox, Google Chrome, Safari, and Opera.

The tool is often used by system administrators to recover lost and forgotten website passwords, when the user’s web browser stored the secret (3).

APG Threat Analysis of WebPassView for 2024

The APG predicts that threat actors will very likely continue to use and abuse allowlisted and otherwise acceptable applications such as WebPassView over the next 12 months.

We base this assessment on currently observed threat actor trends, both within the Blackpoint SOC’s analyzed activities as well as external researcher corroboration.

In 2021, security researchers alerted to a Kimsuky advanced persistent threat (APT) campaign that involved the use of WebBrowserPassView to collect passwords that could then be used for lateral movement, privilege escalation, and persistence (4).

Additionally, in 2023, security researchers observed the Akira ransomware operators using the tool to collect passwords.

As covered in previous analysis, the use of legitimate, already present, and allowlisted tools as part of live-off-the-land (LotL) strategies aids threat actors’ defense evasion efforts, as malicious activity can more easily blend in with “normal” or expected environment traffic.

Recommended WebPassView Mitigations and Remediations

The APG recommends the following actions to help mitigate the deployment and abuse of legitimate tools by threat actors as part of LotL attack patterns:

• Implement behavioral monitoring to find threat actors by their actions, rather than relying on specific indicators of compromise (IoCs) or other static detection methods. This method often requires human confirmation of alerts that trigger based on deviations from established user and environment activity baselines, as was crucial in resolving this incident. That is, good environmental alerts and monitoring will trigger when user or device activity changes from “known good” behavior, and shows signs of a threat actor’s “known bad” attack patterns. (When Kurt from Accounting’s endpoint suddenly executes a custom PowerShell script that’s pinging for unsecured local network devices, for example, that’s probably a bad sign.)
• Encourage the use of password managers, especially to replace browser-based password storage that can be accessed by tools such as WebBrowserPassView. If at all possible, see if you can budget organization-wide reimbursement for password managers in the next budgeting cycle – or otherwise recommend that your clients do so!
• Ensure employees have set up (and are required to use) MFA and VPNs to access sensitive data and resources, providing an additional level of credential authentication in the event of a user profile’s compromise.

Return to Top

Remote Desktop Manager for Lateral Movement Incident with Technology Partner on April 16, 2024

Topline Takeaways

• Industry target: Technology
• Attacker information:
  • Process Hollowing
  • Remote Desktop Manager (RDM)
  • Rundll32[.]exe’s suspicious connections
• Was AV / EDR present?
  • Yes
• Threat assessment for partners:
  • The APG predicts that it is likely that threat actors will continue to use RDM for lateral movement to exploit technology-related and other organizations over the next 12 months.
• Recommended remediations and mitigations:
  • Least-privilege access controls
  • Heuristics-based activity monitoring and remediation
  • Network segmentation for common ports

RDM for Lateral Movement Incident Timeline for April 16, 2024

• 8:19 a.m. ET: Blackpoint’s MDR alerted to ‘HollowProcess’ malicious activity prevented in RDM instance.
• 8:19 a.m. ET: An MDR analyst began initial triage and investigation, during which the SOC observed suspicious connections made by rundll32[.]exe.
• 8:30 a.m. ET: The analyst escalated the incident to senior SOC leadership.
• 8:40 a.m. ET: The SOC made contact with partner about the incident and provided additional remediation advice.
• 8:43 a.m. ET: The senior MDR analyst isolated the impacted endpoints from all external and internal communications out of an abundance of caution.

More About Process Hollowing and Threat Actor Abuse of Remote Desktop Manager for Lateral Movement

Process hollowing is a method of executing arbitrary code in the address space of a separate live process (5).

Threat actors use this process manipulation technique to evade detection by traditional security tools and to elevate their privileges in a targeted network.

Rundll32[.]exe is a standard part of Windows used to run dynamic link library (DLL) files and can be used to execute malicious code by threat actors.

RDM centralizes all remote connections on a single platform that is security shared between users and across a team (6).

APG Threat Analysis of Process Hollowing and Abuse of Remote Desktop Manager for 2024

The APG predicts that threat actors will likely continue to use RDM for lateral movement over the next 12 months.

We base this assessment on multiple observed threat actors using the process hollowing technique (5), including:

• Gorgon Group
• Kimsuky
• APT10
• Patchwork
• TA2541

Additionally, researchers have tracked malware variants such as QakBot and AgentTesla using process hollowing to deploy their initial payload (5).

In 2023, threat actors deployed a trojanized version of RDM for the RomCom malware (7). While threat actors are most often observed abusing RATs – including RDM – for persistence, some threat actors also impersonate these legitimate tools for initial access.

Recommended Process Hollowing and Abuse of Remote Desktop Manager Mitigations and Remediations

The APG recommends the following actions to help mitigate the use of process hollowing and abuse of RDM.

• Implement the practice of least privilege access controls. This can help ensure that users only have access to the data and resources required to complete their job functions.
• Implement behavioral monitoring of user and process activity within managed environments to detect unusual patterns that could indicate threat actors are within the system. During this incident, the threat actors were caught based on their tried-and-true activity patterns, and not necessarily a specific IoC or other static detection pattern.
• Use network segmentation to ensure critical systems are isolated from less secure areas, and to prevent unauthorized communication between segments in the event of a compromised user credential as part of a defense-in-depth (DiD) strategy.

Return to Top

esentutl[.]exe, whoami[.]exe, and net[.]exe Incident with Real Estate Partner on April 17, 2024

Topline Takeaways

• Industry target: Real Estate
• Attacker information:
  • esentutl[.]exe /p
  • whoami
  • net[.]exe
• Was AV / EDR present?
  • Yes
• Threat assessment for partners:
  • The APG predicts that it is almost certainly that threat actors will continue to abuse legitimate tools such as remote monitoring and management (RMM), whoami[.]exe, and net[.]exe to exploit real estate-related and other organizations over the next 12 months.
• Recommended remediations and mitigations:
  • Regularly audit both environment and endpoints
  • Scripting language controls
  • Heuristics-based activity monitoring and remediation

esentutl[.]exe /p Incident Timeline for April 17, 2024

• 07:11 a.m. ET: Blackpoint’s MDR alerted to malicious activity on a user administrator account using remote management tools to move laterally to the device of their real estate client.
• 07:12 a.m. ET: An MDR analyst began initial triage and investigation, during which they observed the threat actor executing commands whoami[.]exe and net[.]exe for enumeration, as well as using esentutl[.]exe /p to check the integrity of the critical database file NTDS.dit./li>
• 07:18 a.m. ET: The analyst escalated the incident to senior SOC leadership.
• 07:37 a.m. ET: The SOC made contact with the partner about the incident and provided additional remediation advice.
• 07:44 a.m. ET: The SOC isolated the impacted endpoints from all external and internal communications out of an abundance of caution.

More About whoami[.]exe, net[.]exe, and esentutl[.]exe /p

whoami[.]exe

whoami is a command used in both Windows and Unix operating systems and can be used to display the current username and privilege information (8).

Threat actors use this tool for reconnaissance, gathering information that can then be used for persistence, lateral movement, and privilege escalation.

net[.]exe

net[.]exe is a Windows command used for administering network configurations, user accounts, and network shares which can be used to stop and start the IPv6 protocol.

The net[.]exe protocol is often used by threat actors to:

• Gather system and network information as part of discovery
• Laterally move through SMB/Windows Admin Shares using the “net use” commands
• Interact with services on targeted networks (9)

In 2023, the U.S. CISA released a #StopRansomware alert related to the BianLian ransomware operation, who has previously been observed using net[.]exe to add a user account to the local remote desktop user group (10).

esentutl[.]exe /p

The esentutl[.]exe is a command line tool that provides database utilities for the Windows Extensible Storage Engine (11).

Threat actors use this tool to extract saved login credentials and dump the contents of the NTDS.dit file, an ESE database used by Active Directory to store information about user accounts and passwords (12).

In 2018, researchers observed China-linked adversary group APT10 (also known as “menuPass,” “Stone Panda,” “Red Apollo,” and “HOGFISH”) using esentutl[.]exe to execute commands that dropped:

• A malicious loader DLL
• An encrypted shellcode
• A GUP, a free generic loader (13)

APG Threat Analysis of LotL Threat Actor Abuse of whoami[.]exe, net[.]exe, and esentutl[.]exe /p for 2024

The APG predicts that threat actors will almost certainly continue to use locally allowlisted applications such as esentutl[.]exe, whoami[.]exe, and net[.]exe over the next 12 months.

We base this assessment especially on threat actors’ frequent use and abuse of related remote management tools to gain initial access, persistence, and evade detection.

In fact, the U.S. CISA warned of threat actors using these types of tools in a 2023 advisory.

LotL techniques – including abusing whoami, net, and esentutl instances on victim devices – are common actions taken by threat actors. Using expected and known tools can often make detection more difficult, thus leading to more successful attacks (14).

Recommended LotL Threat Actor Abuse of whoami[.]exe, net[.]exe, and esentutl[.]exe /p Mitigations and Remediations

The APG recommends the following actions to help mitigate LotL techniques, including for the threat actor’s use of the abused scripts used during this incident.

• Minimize the use of – or implement strict controls on – the use of scripting languages. Threat actors rely on scripting languages, such as the JavaScript used in this incident, to deploy malware and conduct malicious activities.
• Audit RMM tools on your network to avoid threat actors either abusing currently installed RMM instances, or installing their own copies of that software that might be overlooked by traditional antivirus or endpoint detection and response (EDR) solutions. Remember to identify currently used and authorized software, while removing software that does not meet the established requirements for use (and finding acceptable alternatives for the end users who are employing that shadow IT for legitimate work instances).
• Implement behavioral monitoring of your environment to detect unusual patterns that could indicate threat actor activity, even when they’re using allowlisted and legitimate applications.

References and Resources

1. VirusTotal’s Analysis Website: “a0f23826e32f036fc93824c2d88106706c39b790ab5a5aa1edcaaee9904c8acd – Client.exe” by Thor et al on 2024-04-16
2. MITRE’s Repository: “QuasarRAT” by Kyaw Pyiyt Htet on 2022-08-02
3. NirSoft’s Blog: “WebBrowserPassView v2.12” by Nir Sofer on 2022-12-17
4. Cisco Talos’s Blog: “North Korean attackers use malicious blogs to deliver malware to high-profile South Korean targets” by Asheer Malhotra and Jungsoo An on 2021-11-10
5. MITRE’s Repository: “Process Injection: Process Hollowing” by MITRE on 2023-08-11
6. Devolutions’s main website: “Remote Desktop Manager” by Devolutions on N/A
7. Blackpoint Cyber’s Blog: “How Malicious Actors Gain Initial Access” by Blackpoint Cyber on 2023-02-20
8. BlackBerry’s Blog: “RomCom Resurfaces: Targeting Politicians in Ukraine and U.S.-Based Healthcare Providing Aid to Refugees” from Ukraine by The BlackBerry Resaerch & Intelligence Team on 2023-06-07
9. Microsoft’s Blog: “whoami” by Microsoft on 2023-02-03
10. MITRE’s Repository: “Net” by MITRE on 2023-07-25
11. CISA’s Advisory: “#StopRansomware: BianLian Ransomware Group” by CISA and ACSC on 2023-05-16
12. MITRE’s Repository: “esentutl” by MITRE on 2023-09-08
13. AttackIQ’s Blog: “Hiding in Plain Sight: Monitoring and Testing for Living-off-the-Lands Binaries” by Federico Quattrin, Nick Desler, Tin Tam, and Matthew Rutkoske on 2023-03-16
14. Mandiant’s Blog: “APT10 Targeting Japanese Corporations Using Updated TTPs” by Ayako Matsuda and Irshad Muhammad on 2024-04-12