HUER Trojan Downloader Quashed

The Network: The end customer of a well-known Managed Services Provider (MSP) who uses the SIEMphonic Enterprise security service to deliver value to their clients.
The Expectation: EventTracker Co-Managed SIEM services, advanced endpoint protection, and behavior analytics would deliver added protection for MSP customers.
The Catch: After hours (7 p.m. local), an employee was web surfing using Google Chrome and visited a compromised website. The user was lured into downloading installer.exe which in turn launched bowsetup.exe. Many other DLLs were launched, and communication was attempted with a known botnet Command and Control server hosted in AWS. All of the launched processes and outbound connection attempts were reported by the EventTracker sensor and acted upon by the SIEMphonic analyst.
The Find: HEUR:Trojan-Downloader.Script.Generic is a noxious Trojan that opens security "back doors". It downloads additional malware infections and gives remote attackers full control over the targeted computer system. Once installed on the target, this infection attaches itself to system files and automatically executes corrupt files at system start up. The trojan also collects personal information, and changes or deletes system files.
The Fix: The specific endpoint involved in this incident was identified, along with details of all processes that were launched, and the external IP addresses contacted. Our SOC recommended the following:
  • Isolate the system from the network.
  • Remove the following folders: %APPDATA%\[RANDOM CHARACTERSACTERS].js
    HEUR.Trojan.Win32.Generic .sys
    %Desktop%\HEUR.Trojan.Win32.Generic .lnk
    HEUR.Trojan.Win32.Generic .lnk
    %DesktopDir%\HEUR.Trojan.Win32.Generic .lnk
    %UserProfile%\Start Menu\Programs\
    \Uninstall HEUR.Trojan. Win32.Generic
    %appdata %\Roaming\Microsoft\Windows\Templates\
    HEUR.Trojan.Win32.Generic .lnk
    %AllUsersProfile%\Start Menu\Programs\
    HEUR.Trojan.Win32.Generic .lnk
    %LocalAppdata %\HEUR.Trojan.Win32.Generic virus\
    uninstall\HEUR.Trojan.Win32.Generic virus.lnk
    %program files%\NPSWF32.dll
  • Make sure that all unwanted registry entries created by the process are removed.
  • Block all the IPs communicated by the process in Firewall.
  • Boot the system into safe mode and perform in-depth anti-virus scan.
The Lesson: AV, software patching, and network scanners are necessary but not sufficient. An additional level of logging and analysis is needed to find vulnerabilities that go unnoticed in these traditional controls.