SentinelLabs 2020 Review of Fighting Cybercrime

SentinelLabs came into being at the back end of 2019 as a means of providing value to the cyber security community by focusing on research and threat intelligence unavailable elsewhere.

Looking back over the last 12 months, they have seen the cybercrime story unsurprisingly dominated by social engineering and malware campaigns themed around the COVID-19 pandemic. But there were also a lot of other things going on, from an explosion in RaaS (ransomware as a service) offerings and victim data exploitation with operators like Maze and Egregor, to a unique macOS ransomware/spyware campaign and, notably, the SUNBURST SolarWinds Orion supply chain attack.

You can catch up on all their research and threat intelligence posts at SentinelLabs,

but here is a brief recap on some of the main highlights:


SentinelLabs broke news of a new TrickBot backdoor called “PowerTrick”. Built for stealth, persistence and reconnaissance, PowerTrick is deployed inside infected high-value targets such as financial institutions.


SentinelLabs rounded up a collection of the toolsets used by North Korean cybercrime actors, including Bistromath, Hoplight, Slickshoes and more.


SentinelLabs developed a unique unpacker for the crypter used to obfuscate Get2 DLLs utilizing SMT.


SentinelLabs was the first to uncover how the infamous IcedID botnet uses social engineering and custom PowerShell uploaders to steal documents related to the victim’s identity and tax returns.


SentinelOne’s Vigilance MDR team revealed how their Incident Response procedure uncovered an APT actor’s entry point, lateral movement, and persistence mechanisms.


SentinelLabs revealed affiliate preconditions, technical details, and victim exploitation associated with the NetWalker RaaS.


SentinelLabs researchers were the first to reverse the encryption routine used in a rare case of macOS ransomware malware and to release a public decryptor for any unfortunate victims.


SentinelLabs caught a Maze attack customized by human operators to exploit the particular environment of victims in action and detailed the attacker’s moves.


From the earliest months of the pandemic, threat actors exploited the COVID-19 coronavirus in multiple ways. A rolling blog post began in February and details the phishing campaigns and other social engineering lures seen by SentinelLabs throughout the year.


SentinelLabs was the first to uncover and reverse the ICMP component of the Anchor module.


SentinelLabs detailed the Egrefor payload, leveraging of Cobalt Strike and Rclone, and its post-compromise behavior.


The final month of 2020 revealed that a nation-state actor had been running a campaign since at least April via what may turn out to be one of the most damaging supply chain attacks of all time, the compromise of SolarWinds Orion, first detected in the environment of cyber security outfit FireEye. SentinelLabs took a look inside the SUNBURST backdoor and the dropped SUPERNOVA webshell trojan.


2020 turned out to be a busy twelve months for all those involved in fighting cybercrime, and for SentinelLabs’ researchers, there was no shortage of threats and threat intelligence to keep on top of.

More details on the SentinelLabs research and findings are available in the full blog here.

Please contact your local Exclusive Networks Account Manager to learn more about how SentinelOne can better protect your organization from cyberattacks.