Trojan Hunted at a Medical Center

The Network: A medical care organization operating with more than 6,000 endpoint devices across 8 sites.

The Expectation: Email communication is safe to use in business and healthcare correspondence, and users follow security and phishing best practices. Healthcare organizations such as the medical center invest accordingly to ensure compliance with mandates such as HIPAA. Given that cyber criminals will exploit every possible threat vector, constant detection and response is needed.

The Catch: Netsurion’s Security Operations Center (SOC) team monitored and detected the anomalous behavior related to Command & Control (C&C) connections and local user account enumeration attempts using advanced real-time alerts.

Based on the log analysis, the SOC analyst hunted the challenging trojan set to run in a persisted mode and advised the healthcare customer regarding threat response and remediation.

Incident Summary

The Find: Netsurion performed further forensics and identified that the threat was initiated by a malicious Microsoft Excel document. The attacker objective was to use a Visual Basic Script (VBScript) to launch highly sophisticated tactics to steal user information and perform a high-level attack using the pilfered data.

Based on the assessment, the SOC analyst identified the trojan as the QBot or Qakbot family of malware. QBot is a large and modular family of trojans in use since 2007. While initially used as a banking trojan, it has since evolved to become utility malware to perform reconnaissance, move laterally, exfiltrate data, or deliver dangerous payloads. A wide variety of cyber criminal gangs use QBot.

The anatomy of the detected threat is as follows:

QBot Threat Chain Detected by Netsurion’s SOC Experts

The Trigger Point: The SOC identified both the C&C and enumeration attempts using the below real-time alerts based on the threat intelligence source and known exploit patterns. Threat actors perform enumeration to gather information regarding user and machine name as well as network and system insights.

1. A suspicious exploit attempt detected
2. A process connected to an unsafe IP address

ATT&CK Detections: The MITRE ATT&CK framework of real-world attacker tactics, techniques, and procedures (TTPs) are built into Netsurion’s Managed Threat Protection platform. These ATT&CK insights help Netsurion analysts use structured threat hunting based on Indicators of Attack (IoA) to connect the missing dots and uncover similar patterns across the organization for a more comprehensive threat response.

Details of the Investigation: The SOC detected the suspicious outbound connection and exploit attempt on a VDI based host. The customer was promptly notified of the threat and provided with guided remediation.

Initial Access: The threat actor gained access through a Visual Basic script embedded with a Microsoft Excel file using spearphishing techniques.

Execution and Persistence: The attacker persisted on the host by storing the Visual Basic compiled script as a registry entry and injected a malicious DLL into Mobsync.exe.

Discovery: Process Mobsync.exe in turn launched Microsoft Windows default network administration tools whoami.exe, ARP.exe, Ipconfig.exe, net.exe, Route.exe, NETSTAT.exe to perform multiple discovery operations as shown below.

The SOC analyst detected and blocked the attacker’s discovery operation while the enumeration attempts were underway.

Command & Control (C&C): The weaponized Mobsync.exe attempted to connect to multiple C&C servers across different countries. This suspicious activity was promptly detected by Netsurion’s SOC.

Cyber Kill Chain Summary: The Netsurion SOC’s quick response neutralized the nefarious trojan activity before damage was done.

The Fix: The SOC identified the root causes of the trojan as a vulnerable user accessing a weaponized Excel document due to spearphishing and an outdated Operating System (OS) in use at the healthcare organization. Netsurion provided the following guided remediation to assist the healthcare organization in reducing QBot impacts:

• Isolate the infected devices
• Disable accounts
• Scramble passwords
• Upgrade to the most current Operating System and keep systems patched
• Disable default network discovery
• Ensure all workstations and servers are actively being monitored and managed
• Implement network segmentation if not already in place
• Enhance focus and training on email security such as spearhishing since this is a significant preventative measure

The SOC then updated the Netsurion Threat Center to include the Indicators of Compromise (IoCs) and further protect all its managed customers.

The Lesson:  Ensure that Operating Systems are up-to-date since cyber criminals use malware like QBot to target vulnerable systems. Customers should bolster their email security since more than 70% of malware targets endpoints and lax user processes. Continuous detection and response from Netsurion’s 24/7/365 SOC ensure holistic visibility and a rapid investigation. Finally, Netsurion’s effective threat hunting team proactively uncovers malware like trojans and their many stealthy variants. Learn more about how Netsurion protects against advanced threats like QBot.