Bunitu Trojan Trapped

The Network: A diversified global financial services company. Their IT team is supplemented by Netsurion’s co-managed security solution.
 
The Expectation: Robust and up-to-date (Anti-Virus, next-gen firewall) prevention mechanisms thwart most common attacks, but since perfect protection is not practical, monitoring is also necessary. Employees have been trained and can be counted on to make good decisions.
 
The Catch: Our Netsurion security analysts observed a pattern of suspicious network traffic from various internal desktops to external addresses associated with malvertising. The Netsurion sensor on the desktop reported the network traffic and the Behavior Anomaly Module identified the pattern as out of ordinary.
 
The Find: On deeper investigation, one of the desktops was found to be infected with the Bunitu Trojan. This infection is known to be delivered by the Neutrino Exploit Kit via a malvertising campaign. Bunitu exposes the infected computer to be used as a proxy for remote clients. It is done in a few steps:

  • Installs itself on the machine
  • Opens ports for the remote connections
  • Registers itself in the remote server (client’s database) informing about its address and open ports
  • Accepts connections coming on the exposed ports and bypasses the traffic

It may have various consequences for the infected user. Basically, it uses his/her resources and slows down the network traffic. But it may also frame him/her in some illegal activities carried by the attacker, due to the fact that the infected client’s IP address is the one visible from the outside.
 
The Fix: A careful scan of each desktop that exhibited the abnormal traffic with MalwareBytes detected Bunitu. The desktops were re-imaged and the advertising destinations blocked at the firewall.
 
The Lesson: The infected endpoint was covered by the Netsurion sensor. It was caught because Netsurion’s SOC noticed the abnormality and uncovered the root cause of the cybersecurity incident. Perfect protection is not practical and so 24/7 monitoring is also necessary. Like the vast majority of attacks, this one is not super sophisticated or zero day. However, complete coverage with up-to-date tools, staffed by a dedicated team, makes the difference between being safe and being a statistic in the data breach stories.