Trojan Stopped in Healthcare Organization The Network: A healthcare services provider on the west coast of the U.S. They use Netsurion’s co-managed Managed Threat Protection, EventTracker. The Expectation: Robust and up-to-date prevention mechanisms (Anti-Virus, Next-Gen Firewall) thwart most common attacks, but since perfect protection is not practical, 24/7/365 monitoring is also necessary. The Catch: Netsurion’s SOC analysts found a program communicating with several external IP addresses that were known to have a bad reputation. The catch was discovered to be a Nitol Trojan that is unable to spread by itself, but is able to perform a number of actions of a hacker’s choice. Our analysts used the following features to detect this threat: Network Connections Monitoring (NCM) Integrated firewall logs Behavior analysis Trojan Synopsis for NITOL: Copies Itself To C:\WINDOWS\Tasks\csrss.exe Registry Keys Modified HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit 43 3a 5c 57 49 4e 44 4f 57 53 5c 73 79 73 74 65 6d 33 32 5c 75 73 65 72 69 6e 69 74 2e 65 78 65 2c 43 3a 5c 57 49 4e 44 4f 57 53 5c 54 61 73 6b 73 5c 63 73 72 73 73 2e 65 78 65 00 00 10 90 7c 5c f6 12 00 00 00 00 00 2c f7 12 00 00 e9 90 7c 40 04 91 7c 00 d6 97 7c 29 40 91 7c 1c 40 91 7c 08 02 00 00 Processes Created c:\windows\tasks\csrss.exe Network connections to command centers The Find: Netsurion’s SOC analysts found this program by reviewing firewall logs as a threat monitoring activity. The analysts also found external systems connecting to more than 200 IP addresses in a span of 4 days, most of which were coming from Russia and Ukraine. The checks revealed that these IP addresses were known for hosting malware. The tricky part is that NITOL uses in-built Windows program userinit.exe, which can never be used legitimately to connect to any external bad addresses. Userinit.exe is a Microsoft Windows process launched upon user logon, which runs all the startup scripts and reestablishes network connections and then starts explorer.exe. The Trojan also created a new process using the parent process csrss.exe. All of this information confirmed that the Trojan program was sending information out to the attacker’s command & control (C&C) center.. The Fix: The customer was immediately notified and the Trojan was neutralized using an anti-malware program. A large compromise, which could have had major financial and reputational impacts, was deterred. The Lesson: Although Anti-Virus was available, it was insufficient to catch this kind of attack. It is imperative to have an additional level of logging and analysis to find threats like these that go unnoticed by traditional defenses. Netsurion’s EventTracker was instrumental in helping the analysts to perform forensics to confirm and neutralize the threat.