Anatomy of a zero-day trojan caught by our Darktrace appliance

Keith Siepel, IT Manager at Hydrotech, Inc. (Guest Contributor) | Monday February 4, 2019

The following guest-authored blog post examines an advanced cyber-threat discovered by Darktrace on a customer’s network.


Previously I have talked about how Darktrace is a force multiplier for Hydrotech. As an example of this, I am sharing the anatomy of a zero-day trojan that was caught by our Darktrace system on the afternoon of Thursday, January 17. The following process was completed, in its entirety, within 20 minutes. 

Remediation started within five minutes of the initial identification of the VMWare recompose process. Although the following notifications appeared at 1:38 p.m., I was working on another unrelated issue and didn’t find this information until 2:15 p.m., at which point I started my investigation and remediation efforts.

Darktrace Email Notifications @ 1:38PM EST 1/17/2018:
2019-01-17 18:37:57 UTC
o365n-88.ad.hydrotech[.]com breached "Antigena / Network / External Threat / Antigena Malware File Pattern of Life Block"

FileTransfer::Exe file transfer started with filetype (application/x-dosexec)

2019-01-17 18:37:57 UTC
o365n-88.ad.hydrotech[.]com breached "Antigena / Network / External Threat / Antigena Malware File Block"

FileTransfer::Exe file transfer started with filetype (application/x-dosexec)

2019-01-17 18:38:05 UTC
o365n-88.ad.hydrotech[.]com breached "Antigena / Network / Significant Anomaly / Antigena Significant Anomaly from Client Block"

Anomalous File / Multiple EXE from Rare External Locations

2019-01-17 18:38:14 UTC
o365n-88.ad.hydrotech[.]com breached "Antigena / Network / External Threat / Antigena File then New Outbound Block"

Anomalous File / EXE from Rare External Location

Review of Darktrace breach logs

The first breach log showed a file downloaded by the name “MediaTable.bin.”

This was followed shortly after by a second file downloaded by the name “OfficeActivate.bin.”

At this point I contacted the end user and told them that I was going to perform an emergency recompose within VMWare — restoring their VM to a previously known good version of the operating system — to block a suspicious software that they had downloaded 30 minutes prior. This action effectively removes any applications that have been installed on the virtual desktop computer.

After starting the recompose efforts, I then proceeded to run the URLs that I had gathered through virustotal.com to see what had been downloaded:

For the file MediaTable.bin, virustotal.com informed me that four engines detected the URL as containing malicious content.

For the file OfficeActivate.bin, virustotal.com informed me that three engines detected the URL as containing malicious content.

Review of our Intrusion Detection System on the firewall showed the following initial approval, followed by a second alert — several hours later — that changed the approval to a diagnostic of malicious, after the files had already been downloaded.

1/17/2019 13:38
File Scanned
69.163.33[.]84
Allowed
OfficeActivate.bin downloaded from [http://69.163.33[.]84:8080/ELjOX2c8/OfficeActivate.bin]
1/17/2019 13:37
File Scanned
91.205.215[.]13
Allowed
MediaTable.bin downloaded from [http://91.205.215[.]13:8080/O11L9Qub/MediaTable.bin]
1/17/2019 19:34
File Disposition Changed
Malicious
Disposition was Unknown and has been seen 1 time: OfficeActivate.bin
1/17/2019 19:34
File Disposition Changed
Malicious
Disposition was Unknown and has been seen 1 time: MediaTable.bin

I then input the IP addresses previously identified into the Darktrace interface to determine if any other devices had accessed them. Fortunately, I found that they had not.

Images of the event logs for those IP addresses from within Darktrace are as follows:

Event log for 69.163.33[.]84.

Event log for 91.205.215[.]13.

Further research showed that this attack was, in fact, a zero-day trojan that was first detected in the wild on January 17, 2019 — the same day as our breach. My review of the forensics for this breach, along with my review of the activity of the user utilizing the victimized virtual machine, revealed that the attack originated from this user clicking on a phishing link from their email.

I feel fairly lucky that I have Darktrace, because without it I am not sure if or when this trojan would have been identified on our network.

If there is anyone out there who has questions about Darktrace, please message me privately, as I have just become Darktrace’s biggest evangelist!

Blog Archive

Friday February 15, 2019
Friday February 8, 2019
Monday February 4, 2019
Monday January 28, 2019
Thursday January 10, 2019
Monday December 3, 2018
Thursday November 22, 2018
Thursday October 25, 2018
Thursday October 4, 2018
Monday August 20, 2018
Monday July 16, 2018
Friday June 22, 2018
Wednesday May 9, 2018
Monday April 16, 2018
Wednesday March 7, 2018
Tuesday February 13, 2018
Friday February 2, 2018
Monday January 22, 2018
Friday December 8, 2017
Monday November 27, 2017
Monday October 30, 2017
Wednesday October 25, 2017
Thursday October 12, 2017
Monday October 2, 2017
Monday September 18, 2017
Monday July 31, 2017
Thursday June 29, 2017
Wednesday June 21, 2017
Wednesday May 17, 2017
Monday May 8, 2017
Wednesday April 5, 2017
Monday March 6, 2017
Monday February 13, 2017
Monday January 30, 2017
Monday January 9, 2017
Friday December 16, 2016
Monday December 5, 2016
Friday November 18, 2016
Friday November 4, 2016
Monday October 24, 2016

About the authors

Justin Fier

Justin Fier is the Director for Cyber Intelligence & Analytics at Darktrace, based in Washington D.C. Justin is one of the US’s leading cyber intelligence experts, and his insights have been widely reported in leading media outlets, including Wall Street Journal, CNN, the Washington Post, and VICELAND. With over 10 years of experience in cyber defense, Justin has supported various elements in the US intelligence community, holding mission-critical security roles with Lockheed Martin, Northrop Grumman Mission Systems and Abraxas. Justin is also a highly-skilled technical specialist, and works with Darktrace’s strategic global customers on threat analysis, defensive cyber operations, protecting IoT, and machine learning.

Dave Palmer

Dave Palmer is the Director of Technology at Darktrace, overseeing the mathematics and engineering teams and project strategies. With over ten years of experience at the forefront of government intelligence operations, Palmer has worked across UK intelligence agencies GCHQ & MI5, where he delivered mission-critical infrastructure services, including the replacement and security of entire global networks, the development of operational internet capabilities and the management of critical disaster recovery incidents. He holds a first-class degree in Computer Science and Software Engineering from the University of Birmingham.

Andrew Tsonchev

Andrew advises Darktrace’s strategic Fortune 500 customers on advanced threat detection, machine learning and autonomous response. He has a technical background in threat analysis and research, and holds a first-class degree in physics from Oxford University and a first-class degree in philosophy from King’s College London. He was most recently featured on BBC World, BBC Morning and Al Jazeera to comment on the news regarding the GRU.

Max Heinemeyer

Max is a cyber security expert with over eight years’ experience in the field specializing in network monitoring and offensive security. At Darktrace, Max works with strategic customers to help them investigate and respond to threats as well as overseeing the cyber security analyst team in the Cambridge UK headquarters. Prior to his current role, Max led the Threat and Vulnerability Management department for Hewlett-Packard in Central Europe. He was a member of the German Chaos Computer Club, working as a white hat hacker in penetration testing and red teaming engagements. Max holds a MSc from the University of Duisburg-Essen and a BSc from the Cooperative State University Stuttgart in International Business Information Systems.