: The end customer of a well-known Managed Services Provider (MSP) who uses EventTracker Co-managed SIEM to deliver value to their clients.
: EventTracker Co-managed SIEM services, advanced endpoint protection, and behavior analytics would deliver added protection for MSP customers.
: After hours (7 p.m. local), an employee was web surfing using Google Chrome and visited a compromised website. The user was lured into downloading installer.exe which in turn launched bowsetup.exe. Many other DLLs were launched, and communication was attempted with a known botnet Command and Control server hosted in AWS. All of the launched processes and outbound connection attempts were reported by the EventTracker sensor and acted upon by the SIEMphonic analyst.
: HEUR:Trojan-Downloader.Script.Generic is a noxious Trojan that opens security "back doors". It downloads additional malware infections and gives remote attackers full control over the targeted computer system. Once installed on the target, this infection attaches itself to system files and automatically executes corrupt files at system start up. The trojan also collects personal information, and changes or deletes system files.
: The specific endpoint involved in this incident was identified, along with details of all processes that were launched, and the external IP addresses contacted. Our SOC recommended the following:
- Isolate the system from the network.
- Remove the following folders: %APPDATA%\[RANDOM CHARACTERSACTERS].js
\Uninstall HEUR.Trojan. Win32.Generic
%LocalAppdata %\HEUR.Trojan.Win32.Generic virus\
- Make sure that all unwanted registry entries created by the process are removed.
- Block all the IPs communicated by the process in Firewall.
- Boot the system into safe mode and perform in-depth anti-virus scan.
: AV, software patching, and network scanners are necessary but not sufficient. An additional level of logging and analysis is needed to find vulnerabilities that go unnoticed in these traditional controls.