Incident with unknown and undetected malware
Responding to an alert at one of our customers we came across the following incident.
The customer was phished with a seemingly targetted phishing attack back in late April through the site diymania[.]eu (behind cloudflare) (URL: hxxp://diymania[.]eu/hvilke-fordele-er-der-ved-bredygtig-energi.html (dead now)). The original link was most probably delivered through a mail to the user (not recovered).
Only a single client machine was affected. The language of the page seems to have been Danish, so rather specific. The topic on the page was energy related. The client was a Win10 machine using Edge. It was fully updated and running Defender.
Looking at the network traffic from the machine in the seconds after the initial access we can see access to both http and ssl sites. The QUIC connections seems unrelated.
These connections looked unusual. Some of them are flagged as DGA-domains in AlienVaults OTX. (ignore the interleaved microsoft domains)
The only domain known for malicious behavior seems to be rockstorageplace[.]com, but that only seems to be present in commercial CTI lists.
Signature based detections has shortcomings that matter in real scenarios. Depending only on prevention through an EDR like Defender is not enough in a modern attack scenario. Detection and response are needed to handle the incidents getting past the traditional preventive measures.
Author: Rasmus Have
Co-founder and IT-security specialist at Derant Rasmus has 20+ years of experience doing operational blue- and red-team work in various organisations.