Blog

No items found.

Anatomy of a zero-day trojan caught by our Darktrace appliance

Anatomy of a zero-day trojan caught by our Darktrace applianceDefault blog imageDefault blog image
04
Feb 2019
04
Feb 2019

The following guest-authored blog post examines an advanced cyber-threat discovered by Darktrace on a customer’s network.

Previously I have talked about how Darktrace is a force multiplier for Hydrotech. As an example of this, I am sharing the anatomy of a zero-day trojan that was caught by our Darktrace system on the afternoon of Thursday, January 17. The following process was completed, in its entirety, within 20 minutes.

Remediation started within five minutes of the initial identification of the VMWare recompose process. Although the following notifications appeared at 1:38 p.m., I was working on another unrelated issue and didn’t find this information until 2:15 p.m., at which point I started my investigation and remediation efforts.

Darktrace Email Notifications @ 1:38PM EST 1/17/2018:
2019-01-17 18:37:57 UTC
o365n-88.ad.hydrotech[.]com breached "Antigena / Network / External Threat / Antigena Malware File Pattern of Life Block"

FileTransfer::Exe file transfer started with filetype (application/x-dosexec)

2019-01-17 18:37:57 UTC
o365n-88.ad.hydrotech[.]com breached "Antigena / Network / External Threat / Antigena Malware File Block"

FileTransfer::Exe file transfer started with filetype (application/x-dosexec)

2019-01-17 18:38:05 UTC
o365n-88.ad.hydrotech[.]com breached "Antigena / Network / Significant Anomaly / Antigena Significant Anomaly from Client Block"

Anomalous File / Multiple EXE from Rare External Locations

2019-01-17 18:38:14 UTC
o365n-88.ad.hydrotech[.]com breached "Antigena / Network / External Threat / Antigena File then New Outbound Block"

Anomalous File / EXE from Rare External Location

Review of Darktrace breach logs

The first breach log showed a file downloaded by the name “MediaTable.bin.”

This was followed shortly after by a second file downloaded by the name “OfficeActivate.bin.”

At this point I contacted the end user and told them that I was going to perform an emergency recompose within VMWare — restoring their VM to a previously known good version of the operating system — to block a suspicious software that they had downloaded 30 minutes prior. This action effectively removes any applications that have been installed on the virtual desktop computer.

After starting the recompose efforts, I then proceeded to run the URLs that I had gathered through virustotal.com to see what had been downloaded:

For the file MediaTable.bin, virustotal.com informed me that four engines detected the URL as containing malicious content.

For the file OfficeActivate.bin, virustotal.com informed me that three engines detected the URL as containing malicious content.

Review of our Intrusion Detection System on the firewall showed the following initial approval, followed by a second alert — several hours later — that changed the approval to a diagnostic of malicious, after the files had already been downloaded.

1/17/2019 13:38
File Scanned
69.163.33[.]84
Allowed
OfficeActivate.bin downloaded from [http://69.163.33[.]84:8080/ELjOX2c8/OfficeActivate.bin]
1/17/2019 13:37
File Scanned
91.205.215[.]13
Allowed
MediaTable.bin downloaded from [http://91.205.215[.]13:8080/O11L9Qub/MediaTable.bin]
1/17/2019 19:34
File Disposition Changed
Malicious
Disposition was Unknown and has been seen 1 time: OfficeActivate.bin
1/17/2019 19:34
File Disposition Changed
Malicious
Disposition was Unknown and has been seen 1 time: MediaTable.bin

I then input the IP addresses previously identified into the Darktrace interface to determine if any other devices had accessed them. Fortunately, I found that they had not.

Images of the event logs for those IP addresses from within Darktrace are as follows:

Event log for 69.163.33[.]84.

Event log for 91.205.215[.]13.

Further research showed that this attack was, in fact, a zero-day trojan that was first detected in the wild on January 17, 2019 — the same day as our breach. My review of the forensics for this breach, along with my review of the activity of the user utilizing the victimized virtual machine, revealed that the attack originated from this user clicking on a phishing link from their email.

I feel fairly lucky that I have Darktrace, because without it I am not sure if or when this trojan would have been identified on our network.

If there is anyone out there who has questions about Darktrace, please message me privately, as I have just become Darktrace’s biggest evangelist!

More in this series:

No items found.

Like this and want more?

Receive the latest blog in your inbox
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
INSIDE THE SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
AUTHOR
ABOUT ThE AUTHOR
Keith Siepel
IT Manager, Hydrotech, Inc.
USE CASES
No items found.
PRODUCT SPOTLIGHT
No items found.
COre coverage
No items found.
This Article
Anatomy of a zero-day trojan caught by our Darktrace appliance
Share
Twitter logoLinkedIn logo

Related Articles

No items found.

Good news for your business.
Bad news for the bad guys.

Start your free trial

Start your free trial

Flexible delivery
You can either install it virtually or with hardware.
Fast install
Just 1 hour to set up – and even less for an email security trial.
Choose your journey
Try out Self-Learning AI wherever you most need it — including cloud, network or email.
No commitment
Full access to the Darktrace Threat Visualizer and three bespoke Threat Reports, with no obligation to purchase.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Get a demo

Flexible delivery
You can either install it virtually or with hardware.
Fast install
Just 1 hour to set up – and even less for an email security trial.
Choose your journey
Try out Self-Learning AI wherever you most need it — including cloud, network or email.
No commitment
Full access to the Darktrace Threat Visualizer and three bespoke Threat Reports, with no obligation to purchase.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.