Anatomy of a zero-day trojan caught by our Darktrace appliance

Keith Siepel, IT Manager at Hydrotech, Inc. (Guest Contributor) | Monday February 4, 2019

The following guest-authored blog post examines an advanced cyber-threat discovered by Darktrace on a customer’s network.


Previously I have talked about how Darktrace is a force multiplier for Hydrotech. As an example of this, I am sharing the anatomy of a zero-day trojan that was caught by our Darktrace system on the afternoon of Thursday, January 17. The following process was completed, in its entirety, within 20 minutes. 

Remediation started within five minutes of the initial identification of the VMWare recompose process. Although the following notifications appeared at 1:38 p.m., I was working on another unrelated issue and didn’t find this information until 2:15 p.m., at which point I started my investigation and remediation efforts.

Darktrace Email Notifications @ 1:38PM EST 1/17/2018:
2019-01-17 18:37:57 UTC
o365n-88.ad.hydrotech[.]com breached "Antigena / Network / External Threat / Antigena Malware File Pattern of Life Block"

FileTransfer::Exe file transfer started with filetype (application/x-dosexec)

2019-01-17 18:37:57 UTC
o365n-88.ad.hydrotech[.]com breached "Antigena / Network / External Threat / Antigena Malware File Block"

FileTransfer::Exe file transfer started with filetype (application/x-dosexec)

2019-01-17 18:38:05 UTC
o365n-88.ad.hydrotech[.]com breached "Antigena / Network / Significant Anomaly / Antigena Significant Anomaly from Client Block"

Anomalous File / Multiple EXE from Rare External Locations

2019-01-17 18:38:14 UTC
o365n-88.ad.hydrotech[.]com breached "Antigena / Network / External Threat / Antigena File then New Outbound Block"

Anomalous File / EXE from Rare External Location

Review of Darktrace breach logs

The first breach log showed a file downloaded by the name “MediaTable.bin.”

This was followed shortly after by a second file downloaded by the name “OfficeActivate.bin.”

At this point I contacted the end user and told them that I was going to perform an emergency recompose within VMWare — restoring their VM to a previously known good version of the operating system — to block a suspicious software that they had downloaded 30 minutes prior. This action effectively removes any applications that have been installed on the virtual desktop computer.

After starting the recompose efforts, I then proceeded to run the URLs that I had gathered through virustotal.com to see what had been downloaded:

For the file MediaTable.bin, virustotal.com informed me that four engines detected the URL as containing malicious content.

For the file OfficeActivate.bin, virustotal.com informed me that three engines detected the URL as containing malicious content.

Review of our Intrusion Detection System on the firewall showed the following initial approval, followed by a second alert — several hours later — that changed the approval to a diagnostic of malicious, after the files had already been downloaded.

1/17/2019 13:38
File Scanned
69.163.33[.]84
Allowed
OfficeActivate.bin downloaded from [http://69.163.33[.]84:8080/ELjOX2c8/OfficeActivate.bin]
1/17/2019 13:37
File Scanned
91.205.215[.]13
Allowed
MediaTable.bin downloaded from [http://91.205.215[.]13:8080/O11L9Qub/MediaTable.bin]
1/17/2019 19:34
File Disposition Changed
Malicious
Disposition was Unknown and has been seen 1 time: OfficeActivate.bin
1/17/2019 19:34
File Disposition Changed
Malicious
Disposition was Unknown and has been seen 1 time: MediaTable.bin

I then input the IP addresses previously identified into the Darktrace interface to determine if any other devices had accessed them. Fortunately, I found that they had not.

Images of the event logs for those IP addresses from within Darktrace are as follows:

Event log for 69.163.33[.]84.

Event log for 91.205.215[.]13.

Further research showed that this attack was, in fact, a zero-day trojan that was first detected in the wild on January 17, 2019 — the same day as our breach. My review of the forensics for this breach, along with my review of the activity of the user utilizing the victimized virtual machine, revealed that the attack originated from this user clicking on a phishing link from their email.

I feel fairly lucky that I have Darktrace, because without it I am not sure if or when this trojan would have been identified on our network.

If there is anyone out there who has questions about Darktrace, please message me privately, as I have just become Darktrace’s biggest evangelist!