Trickbot Attacks Promotional Products Industry

The Network: The end customer of a well-known Managed Services Provider (MSP) who uses Netsurion’s Co-managed SIEM to safeguard their customers.
 
The Expectation: Netsurion’s Co-Managed SIEM services, advanced endpoint protection, and behavior analytics would deliver added protection for the MSPs’ clients.
 
The Catch: Malware processes tttvc.exe and tmp1285.exe were observed on an endpoint connecting to multiple Russian proxy IP addresses. These processes were first-time-seen.
 
The Find: Attackers are targeting firms in the promotional products industry with targeted malware. The virus comes in an email that can purport to be from a customer. For example, the email asks the recipient to click on a link to complete a form related to shipping information. Clicking the link, which can come in a PDF, launches the virus.
 
The Fix: Isolate the endpoint from the network as it is communicating with outside bad actors. Reimage the system. 

The Lesson: User education about not clicking on links in email is vital. Watch network traffic to first-time-seen outside destinations. Endpoint Detection and Response (EDR) functionality is needed in addition to traditional signature-based protection. Most of all, 24/7 monitoring by a SOC analyst for out-of-ordinary activity is crucial.