The Nitol Trojan, Caught and Killed

The Network: A healthcare services provider on the west coast of the U.S. They use EventTracker’s SIEMphonic service.

The Expectation: Robust and up-to-date prevention mechanisms (Antivirus, Next Gen Firewall) thwart most common attacks, but since perfect protection is not practical and monitoring is also necessary.

The Catch: EventTracker analysts found a program communicating with several external IP addresses that were known to have a bad reputation. The catch was discovered to be a Nitol Trojan that is unable to spread by itself, but is able to perform a number of actions of a hacker’s choice. EventTracker analysts used the following features to detect this threat:

  • Network Connections Monitoring (NCM)
  • Integrated firewall logs
  • Behavior

NITOL Trojan Synopsis:

  1. Copies Itself To
  • C:\WINDOWS\Tasks\csrss.exe
  1. Registry Keys Modified
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

Userinit

43 3a 5c 57 49 4e 44 4f 57 53 5c 73 79 73 74 65 6d 33 32 5c 75 73 65 72 69 6e 69 74 2e 65 78 65 2c 43 3a 5c 57 49 4e 44 4f 57 53 5c 54 61 73 6b 73 5c 63 73 72 73 73 2e 65 78 65 00 00 10 90 7c 5c f6 12 00 00 00 00 00 2c f7 12 00 00 e9 90 7c 40 04 91 7c 00 d6 97 7c 29 40 91 7c 1c 40 91 7c 08 02 00 00

  1. Processes Created
  • c:\windows\tasks\csrss.exe
  1. Network connections to command centers

The find: SIEMphonic analysts found this program by reviewing Firewall logs (Palo Alto) as a threat monitoring activity. The analysts also found external systems connecting to more than 200 IP addresses in a span of 4 days, most of which were coming from Russia and Ukraine. The checks revealed that these IP addresses were known for hosting Malware. The tricky part is that NITOL uses in-built Windows program userinit.exe, which can never be used legitimately to connect to any external bad addresses. Userinit.exe is a Windows process launched upon user logon, which runs all the startup scripts and reestablishes network connections and then starts explorer.exe. The Trojan also created a new process using the parent process csrss.exe. All of this information confirmed that the Trojan program was sending information out to the attacker’s command and control center.

The Fix: The customer was immediately notified and theTrojan was neutralized using anti-malware program. A large compromise, which could have had major financial and reputational impacts, was deterred.

The Lesson: Although A/V was available, it was insufficient to catch this kind of attack. It is imperative to have an additional level of logging and analysis to find threats like these that go unnoticed by traditional defenses. In this case EventTracker was instrumental in helping the analysts to perform forensics, and to confirm and neutralize the threat.