ESCU 5.8.0 contains some exciting new content to help in the fight against Remote Employment Fraud and abuse of the Inno Setup tool. This release also includes detections related to the abuse of Chromium Web Browser and Internet Explorer for code execution and file transfer purposes. Finally, ESCU 5.8.0 includes a number of updates and improvements to increase the quality of existing detections.

• Remote Employment Fraud Detections:

  Remote Employment Fraud involves threat actors posing as job seekers or employers in order to gain unauthorized access to systems or employment through deceptive means. In many cases, it involves the use of fraudulent or stolen identity documents, which are used to hide the true identity and location of an employee. This release includes a number of analytics that can help detect the digital footprint of employment fraud through the analysis of unexpected Network behaviors (such as VPN usage or anomalously high latency) or the presence of nonstandard audio or video devices.

• Bugfixes based on community feedback:

  Inno Setup AbuseInno Setup is a widely used, legitimate packaging tool for the installation of software in Windows environments. Recently, it has seen increasingly common usage by malicious actors, hiding embedded malware payloads in otherwise benevolent software installers. These payloads, which are often encrypted or obfuscated, are then executed by a number of different means such as scripting or process injection. This story demonstrates a number of different techniques observed by malware abusing Inno Setup to gain execution and persistence.

• Web Browser Abuse:

  Locally installed malware might use web browsers to aid in the execution of malicious code, perform command and control, or transfer files. To decrease their footprint or provide flexibility in how they operate, this malware may supply a number of nonstandard command line flags when launching browsers. This release supplies a number of analytics which recognize these suspicious flags.

• Malicious Inno Setup Loader

• Remote Employment Fraud

• Windows Chromium Browser No Security Sandbox Process
• Windows Chromium Browser with Custom User Data Directory
• Windows DNS Query Request To TinyUrlWindows Disable Internet Explorer Addons

• Added macro zoom_index
• Updated macro gsuite_drive

• As previously communicated in the ESCU v5.6.0 release, several detections have been removed. For a complete list of the detections removed in version v5.8.0, refer to the List of Removed Detections in v5.8.0. Users are expected to transition to the recommended replacements where applicable. Additionally, a new set of detections has been deprecated. For details on detections scheduled for removal in ESCU version v5.10.0, see the List of Detections Scheduled for Removal in ESCU v5.10.0.