Case Study – BFSI
Advanced Threat Hunting closes EDR detection gaps in a backdoored PDF installer campaign
DOWNLOAD THE PDFAbout the client
The client is a large financial services organization operating across multiple regions, supporting a broad user base and handling sensitive financial data. Its environment relies heavily on endpoint security controls to protect employee systems and client-facing operations, and the client uses Microsoft Defender and Sentinel.
The client’s challenge
The client had concerns about blind spots in their EDR coverage after identifying missed EDR detections associated with a threat campaign involving backdoored PDF installers.
CyberProofâs MXDR service confirmed the campaign, which leveraged search engine optimization to deliver backdoored PDF installers as the initial infection vector.
At this point, the client faced several challenges:
- Incomplete visibility into the campaign: Initial alerts suggested isolated activity, but indicators pointed to a broader, coordinated campaign.
- Detection gaps within EDR: Existing EDR rules did not fully capture the observed behaviors. The client needed to know where detections failed and why.
- Persistent attacker activity: Attackers continued to create multiple new websites that impersonated PDF tools with capabilities to trick innocent users.
Automated MXDR workflows alone were insufficient to answer these questions. CyberProof recommended an Advanced Threat Hunting engagement to perform a structured detection gap analysis and deeper campaign investigation.
Benefits
- Unique skillset: Product agnostic and deeply skilled, the team identified more than 10 missed detections in TrendMicro, SentinelOne and Microsoft Defender.
- Deep visibility: Clear understanding of the backdoored PDF installer campaign and associated attacker behavior.
- Closed EDR detection gaps:Â Addressing missed detections through real time threat hunting, reporting, and remediation, closing gaps in under 24 hours.
- Faster detection updates: Leveraging cross-team collaboration to quickly test and deploy improved detection queries.
Our solution
As an existing MXDR client, the client already trusted CyberProof, and had established workflows with CyberProof analysts. In addition, the client had followed CyberProof research through its media coverage, enhancing confidence in its threat hunting capabilities.
Over a ten-month period, CyberProof threat hunters observed and reviewed multiple malicious PDF installer campaigns to identify recurring techniques and behaviors. By analyzing these campaigns collectively, the team identified several common TTPs that were used to develop targeted detection queries.
Dynamic analysis of the malicious installers revealed that they launched node.exe to execute malicious JavaScript responsible for information stealing. node.exe is a legitimate executable associated with the Node.js runtime. However, its use in this context was anomalous and indicative of malicious activity.
The attackers behind these campaigns further attempted to evade detection by randomizing JavaScript file names using GUID style formats and establishing persistence through scheduled tasks pointing to those files.
To address the identified detection gaps, CyberProof threat hunters developed a high-fidelity hunting query designed to detect suspicious outbound network connections originating from GUID named JavaScript files spawned by node.exe. This approach closed the gap between EDR misses that had previously created blind spots within MXDR.
Results
The validated query was shared with the client and incorporated into detection logic within the environment, providing real time protection against similar activity going forward.
This campaign was observed impacting more than six clients, with detection gaps identified across three different EDR solutions. While these gaps manifested differently across environments, CyberProof threat hunting identified the common techniques and worked with the MXDR team to close coverage gaps and enable consistent detection.
Speak with an expert
Explore how CyberProof can help you reduce exposure and uncover unknown risk that EDR detection may miss in hybrid and cloud-native environments.