Adware Creates a Nuisance at Energy Company

The Network: A non-profit Electricity Distribution Cooperative serving more than 100,000 members.
 
The Expectation: Monitoring web traffic is essential since so many threats are web-borne. 
 
The Catch: Outbound connections were observed from a desktop system to bad reputed IP address: 213.186.33.87 (France) over port 80 and 443 by the process iexplore.exe. This external IP address is involved in malicious activity, hosting malware content and phishing attacks.
 
The Find: The Potentially Unwanted Program (PUP).Optional.Mindspark is a large family of browser hijackers that affect major internet browsers like Google Chrome, Firefox, and Internet Explorer/Edge. It is a big part of IAC/InterActiveCorp, a media and internet company that creates revenue with advertising. This threat performs changes on browser settings that may result to home page hijacking and browser redirect problems. PUP.Optional.MindSpark.A also drops extensions, add-ons, and plug-ins to achieve other malicious tasks.
 
The presence of PUP.Optional.MindSpark.A affects installed browsers. Here are some signs that the malware has invaded the computer:

  • Modified start page, home page, or search engine
  • Constant redirect to unwanted websites
  • Excessive display of pop-up advertisements
  • Browser and new tabs open on their own

 
The Fix: Recommendation to the client by Netsurion’s SOC:

  • Isolate the system from the network immediately and remove the suspected files
  • Blocking the IP address: 213.186.33.87 at the firewall level and investigate further for any suspicious activity on the system
  • Run Anti-Malware/Anti-Virus scans on the machine
  • Delete the registry entries created by these processes

The Lesson: Anti-Virus, software patching, and network scanners are available in most business networks, but it is imperative to have an additional level of logging and analysis to find vulnerabilities that go unnoticed in these traditional controls. Updated intelligence relating to emerging Threat/Attack/Vulnerability/Exploits must be maintained.