Fox Malware Outfoxed

The Network:  A cloud services provider headquartered in the Washington D.C. metro area served an end customer with EventTracker SIEM who had installed traditional anti-virus software and implemented six firewalls as well as 25 servers and workstations across their three office locations.  
 
The Expectation: Open RDP (Remote Desktop Protocol) ports are undesirable but often a convenience for the MSP to remotely login and manage Windows endpoints. Basic password hygiene is in place to protect these open ports. 
 
The Catch: The EventTracker SOC (Security Operations Center) observed the execution of a new EXE which in turn launches PowerShell commands and connects to an IP address with a poor reputation. 
 
The Find: The process was confirmed as malware by VirusTotal. Sadly, this malware is not detected by many well-known anti-virus products. Left unchecked, this malware scans for open RDP ports and brute forces its way in. It encrypts files, appending .fox, to the file name. For persistence, the malware disables startup repair, deletes volume snapshots, and schedules itself. It also communicates extensively with C&C (Command & Control) devices. 
 
The Fix: The EventTracker SOC promptly alerted the MSP to quarantine the machine and re-image it. It is important to close RDP ports as they can be used to attack a machine remotely.
 
The Lesson: Open RDP ports are a convenience for MSPs. However, convenience is the enemy of security.