Private Healthcare Organisation

Increasing incident severity

Almost immediately after notifying the client of the incident, the Redscan team detected the same malware on two additional hosts, prompting the incident to be escalated to a P1 – a level of classification reserved for critical incidents which pose an extremely high degree of risk.

Redscan’s incident response playbook for malware infections was in full execution at this point. To prevent additional infections, the CSOC used Cb Response to ban the signature of the identified malware binaries and, with the client’s authorisation, used the same tool’s incident response capabilities to quickly isolate all infected hosts from the network.

Investigating the kill chain

Upon containing the malware, the Redscan team set about analysing the kill chain of the attack – how it was able to obtain a foothold on the client’s network and spread so quickly.

By recording each and every file execution and modification, registry change, network connection and binary execution across all installed hosts, Cb Response is an important tool that helps the Redscan CSOC team perform more detailed digital forensics to inspect deeper into IT networks for signs of malicious activity.

One of the binaries that Cb Response identified was attached to the roaming Windows® profile of one particular employee, who had logged into multiple endpoints, thus spreading the infection in the process.

The malware detected, Trickbot, was a Trojan designed to harvest user credentials, exfiltrate data and add infected hosts to a botnet of devices.

While forensic investigation of network and endpoint log files revealed no evidence of data loss, the malware was observed to have conducted an internal network IP scan – designed to obtain DNS information about the network which could be used to help attackers spoof network addresses for social engineering scams.

Owing to the advanced, persistent nature of the malware, identifying the source of the attack proved harder to ascertain. Previous variations of the Trickbot malware are known to be widely distributed by spam emails as well as infected attachments and URLs. The team had no reason to suspect that the source of this infection was anything different.

A highly persistent threat

In the week that followed detection of the original four malware infections, the Redscan’s CSOC team observed 12 additional malware binaries resident on hosts, each with a different signature and attempting to communicate with malicious IP addresses in locations including Russia, Germany, France and Canada. The new infections were linked to the roaming profiles of a number of employees, including a system administrator.

Whenever a new infected host was identified, it was quickly isolated from the network for a minimum of 12 hours and scanned to remove the infection. As an additional precaution, particularly given the evidence that a system administrator had been compromised, all of the client’s employees were encouraged to reset their Windows login credentials.

Further forensic investigation by the Redscan team revealed references, within the malware’s code, to RDP-related registry keys. Disabling Remote Desktop in Windows to mitigate the risk of any unauthorised connections was subsequently recommended.

Preventing future incidents

After receiving confirmation that all infected machines had been successfully cleaned, and with no new infections reported, the incident was finally closed by the Redscan team. Given the severity of the incident, a detailed report was prepared for the client. This included a full event timeline, detailing all actions taken, and a list of recommendations to help mitigate the risk of future attacks.

The advanced persistent nature of Trickbot, and other forms of malware, means that future attacks cannot be discounted. With Network and Endpoint MDR, the client can be sure, however, that it will be ready to respond quickly and effectively should any anomalous activity present itself.