This week, one of our threat analysts noticed a suspicious domain on a report he was reviewing for a new Dark Cubed client. A machine on the client’s network was continuously reaching out to this suspicious domain, approximately every minute. Upon further investigation, the suspicious server was a suspected ransomware command and control host, and, presumably, the malware on the client’s machine was programmed to attempt to connect every minute. The investigation is on-going, but it’s possible the client’s machine was infected by an Initial Access Broker’s malware that established itself on the network and was attempting to connect to its ransomware command and control entity.
The evidence of the server’s ransomware link is that the client machine’s queries were associated with at least two distinct, but reportedly linked, malware families:
- A banking Trojan, BokBot aka IcedID, the FBI alleged in August of this year, to have been used in attacks by the ransomware actor, the OnePercent Group
- Second-stage, Cobalt Strike Beacon implants, which the FBI ties to the above-mentioned ransomware attacks; Mandiant corroborates the observed FQDNs' ties to ransomware activity and provides additional evidence that the operator behind the first stage BokBot implants may have been acting as an "Initial Access Broker" (IAB) for the OnePercent Group in these attacks
Fortunately, the suspected command and control server was no longer active, and the malware was unable to establish communications with it, so no damage was inflicted on the Dark Cubed client’s network. Importantly, the command and control server had been flagged as a high risk domain by Dark Cubed’s threat scoring analytics, but the client had yet to activate auto-blocking on their Dark Cubed platform. Had they done so, the machine with the seed malware would never have been able to reach the command and control server, even if it was still active.
Despite this, the Dark Cubed client used the data from the platform to identify the infected machine, greatly aiding the remediation investigation.
In this case, the customer was able to discover the attack using Dark Cubed, which is a great first step. However, had the customer enabled auto-blocking on the platform when they first set it up, the attack attempt would have been blocked with no human interaction required…all with a platform that is incredibly affordable and takes minutes to setup.
Download our one-page fact sheet to learn more about how Dark Cubed can protect your MSP’s SMB clients automatically.