Bunitu Trojan trapped

The Network: A diversified global financial services company based on the U.S. east coast. Their IT team is supplemented by SIEMphonic, EventTracker’s co-managed security solution.
The Expectation: Robust and up-to-date (anti-virus, next-gen firewall) prevention mechanisms thwart most common attacks, but since perfect protection is not practical, monitoring is also necessary. Employees have been trained and can be counted on to make good decisions.
The Catch: Our SOC observed a pattern of suspicious network traffic from various internal desktops to external addresses associated with malvertising. The EventTracker sensor on the desktop reported the network traffic and the Behavior Anomaly Module identified the pattern as out of ordinary.
The Find: On deeper investigation, one of the desktops was found to be infected with the Bunitu Trojan. This infection is known to be delivered by the Neutrino Exploit Kit via a malvertising campaign. Bunitu exposes the infected computer to be used as a proxy for remote clients. It is done in a few steps:
  • Installs itself on the machine
  • Opens ports for the remote connections
  • Registers itself in the remote server (client’s database) informing about its address and open ports
  • Accepts connections coming on the exposed ports and bypasses the traffic
It may have various consequences for the infected user. Basically, it uses his/her resources and slows down the network traffic. But it may also frame him/her in some illegal activities carried by the attacker, due to the fact that the infected client’s IP is the one visible from the outside.
The Fix: A careful scan of each desktop that exhibited the abnormal traffic with MalwareBytes detected Bunitu. The desktops were re-imaged and the advertising destinations blocked at the firewall.
The Lesson: The infected endpoint was covered by the EventTracker sensor. It was caught because our SOC noticed the abnormality and investigated it to its logical conclusion. Perfect protection is not practical and so monitoring is also necessary. Like the vast majority of attacks, this one is not super sophisticated or zero day. However, complete coverage with up-to-date tools, manned by a dedicated team, makes the difference between being safe and being a statistic in the data breach stories.