Trojan Detection at a Healthcare Organization

The Network: A healthcare services provider with an on-site security team. Netsurion’s Managed Threat Protection service supplements this team.

The Expectation: Robust and up-to-date (Anti-Virus, Next-Gen Firewall) prevention mechanisms thwart most common attacks, but since perfect protection is not practical, monitoring is also necessary.

The Catch: Netsurion’s SOC analysts were able to detect a Trojan that went undetected by the customer’s Anti-Virus tool. In order to find this, Netsurion’s signature features (below) were used by our SOC analyst while monitoring:

• New Enterprise Activity
• Unknown Process
• Unknown MDF hash

The Find: Netsurion’s SOC analyst observed that a new process – “iexplorer.exe” – had launched on a customer system and exited after a period of time. The analyst also found new MD5 hash activity. The cybersecurity analyst confirmed that the hash was a malicious Trojan.

The Fix: The analyst immediately notified the customer and got it neutralized by re-imaging the system, isolating it from the network and using anti-malware techniques. The find was acknowledged and confirmed by the client as well. The key highlight is that customer control mechanisms, such as A/V, could not detect this at the point of entry.

The Lesson: Trojans in any environment are a threat and can be detrimental to client business. In this particular case, though the process did not look suspicious, expert analysis by Netsurion’s SOC analyst made sure that it did not go unnoticed. Trojans are the first stage of a cyber attack and their primary purpose is to stay hidden while downloading and installing a stronger threat, such as a bot. They are often delivered to a victim through a phishing email message where they masquerade as an image or joke, or by a malicious website that installs the Trojan via web vulnerabilities.