Avatar of yodaa
yodaa
 asked on

Trojan

I have read below article.

So if this trojan is very hard to detect actually it can run in my company and  I will never know. Any guides ?


http://thehackernews.com/2017/03/github-email-scam.html
Vulnerabilities* TrojanSecurityCyber SecurityNetwork Security

Avatar of undefined
Last Comment
John

8/22/2022 - Mon
John

These questions keep coming up.

1. You need TOP NOTCH, and BEST Spam Filtering. This is essential.

2. Train your users not to open emails from strangers. Delete these.

This is your best defense.  I see this crap in my email spam quarantine, so the email approach is prevalent.
btan

Advocate hardening of machine via
- application whitelisting to disallow running of macro and powershell, avoid enabling any unnecessary active script
- avoid having running unwanted programs, also referred as “PUP” (Potentially Unwanted Programs) to intentionally slow down your computer.
- update IPS and AV signature minimally this sample is detected.
- check on DNS requested server IP address that can be blacklisted or ill reputed. There is DNS aware firewall
- check for outbound HTTP POST requests to another Google domain, gmail[.]com or similar which can have the data size large to indicate likely leakage
1) How did Troj/Dimnie-A get on my Computer?
Troj/Dimnie-A can gain entry onto your computer in several ways. Some of the common methods of Troj/Dimnie-A infection include:
Downloads from questionable websites
Infected email attachments
External media, such as pen drive, DVD, and memory card already infected with Troj/Dimnie-A
Fake updates that trick you installing them
Programs posing as fake virus removal tools
Infected documents circulating on peer-to-peer (P2P) file sharing networks, torrent sites, and IRC channels

2) Symptoms of Troj/Dimnie-A Infection
The primary symptoms of Troj/Dimnie-A infections are:
Computer behaving unpredictably
Unexpected operating system error messages
Blue screen errors in Windows
Sluggish computer performance
Programs stop responding and show “Not Responding” error messages
New files getting created at the root-level of a hard drive
Spam messages unknowingly being sent from your email account
Mysterious files and folder deletions

3) Removing Troj/Dimnie-A from your Computer
To get rid of Troj/Dimnie-A from your computer, perform the following steps:
Use an anti-malware program
Clean your Windows Registry
Shaun Vermaak

Top of the list is over-permissioning of users both locally (local administrators) and on network resources (full rights on all company files of shared drive for example)
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck
masnrock

You want to look at IOCs. I recently added a long list of domains known to be related to this. If you block those, then you can at least be sure systems are not contacting the C&C domains.

http://researchcenter.paloaltonetworks.com/2017/03/unit42-dimnie-hiding-plain-sight/?adbsc=social71113356&adbid=846693442872786944&adbpl=tw&adbpr=4487645412

However, I cannot stress enough that policy and education are key in this. Technology will help to an extent, but you also need to be sure that you're properly doing user awareness training. Users are the last line of defense. They need to know to at least report when they mess up (let's be honest, nobody is perfect), but just as importantly they need to be able to identify signs of suspicious emails.
yodaa

ASKER
Hi Guys,

Thank you for the info.

Do you know good links or the best practice for  user awareness training ?
masnrock

This is a non-exhaustive list, as there are a ridiculous number of options out there...
SANS Institute
Wombat Security

KnowBe4 has a free phishing simulator test for up to 100 users: https://www.knowbe4.com/phishing-security-test-offer

Then you even have a number of vendors that offer the ability to user a library of training material that can be customized in some ways, such as MediaPro.
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
yodaa

ASKER
2) Symptoms of Troj/Dimnie-A Infection
The primary symptoms of Troj/Dimnie-A infections are:
Computer behaving unpredictably - someties windows 10 behaving unpredictably
Unexpected operating system error messages - hmm
Blue screen errors in Windows - Sometimes this happen on few machines
Sluggish computer performance
Programs stop responding and show “Not Responding” error messages - this sometimes can happen in widnows 10, expecially excel files
New files getting created at the root-level of a hard drive - what do you mean by that  ?  where should I check it?
Spam messages unknowingly being sent from your email account - twice happen to one of the user but I checked IP in exchange and it was sent from different IP location etc. so I think it was spoofing email.
Mysterious files and folder deletions
yodaa

ASKER
1. You need TOP NOTCH, and BEST Spam Filtering. This is essential.
We have default spam filtering system from exchange also we have ATP.

2. Train your users not to open emails from strangers. Delete these.  
Actually they are good with this.
yodaa

ASKER
Sorry for my English.  
* Sometimes this happened on few machines
Your help has saved me hundreds of hours of internet surfing.
fblack61
John

I normally use a good third party spam filtering system and not rely upon Exchange. Ipswitch (.com) has a good spam filtering system. Barracuda is also decent.
masnrock

New files getting created at the root-level of a hard drive - what do you mean by that  ?  where should I check it?
Check for strange files on the C drive, in the Windows folder, or even in the Windows system folders. I know, it's easier said than done.

It sounds like you have some system items to be checked, but it may not necessarily be Dimnie that is the cause.

What do your security policies, including patch cycles, look like today? Also, what type of training do you presently do?
yodaa

ASKER
We have few security layers  

  1. Firewall
  2. All no needed ports are closed.
  3. Default Spam/malware filters in Exchange plus ATP. https://products.office.com/en-ie/exchange/online-email-threat-protection
  4. Trend Micro for business on all WKS and servers with console management.
  5. Another endpoint on each WKS and Server from Malwarebytes  with the management console https://www.malwarebytes.com/business/endpointsecurity/ 
Everything is up to date- Flash, java, OS, Adobe, Chrome etc.
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
SOLUTION
John

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
yodaa

ASKER
John,

We do training every 6 month.  But now I am planning to do  IT training every 2 months
btan

Turn on your Applocker if running Windows. You only allow certain application to run and that restrict the couple of exposure that leads to infection with running of unauthorised application.

Removing admin rights for user also augment such that exploitation still requires infection to escalate its privileges though it may be non trivial.

Keep your patch and signature to latest for your HIPS and OS. Also consider anti ransomware like from malware bytes or Winpatrol AntiRansom.
ASKER CERTIFIED SOLUTION
Log in to continue reading
Log In
Sign up - Free for 7 days
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
yodaa

ASKER
We have windows 10 pro so we cannot use Applocker.

Staff dont have admin rights  locally or network. Only IT admin have this privileges.
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes
yodaa

ASKER
1. Good UTM - In place
2. Firewall - In place
3. Antivirus on every computer - In place
4. Limited access to resources - in place
5. Central management of antivirus so you can scan each computer on the network, while the users work - In place
6. User has no rights to install anything --- I know tedious but if they can install anything chances are Trojan or viruses can not be executed- In place
7. once a month 15 minutes meeting on reminding users of how phishing works, what to do when on line - I am planning to do this every 2 months now.
8. lockout policy for infected computers - What do you mean by that?
9. Education-  I send email to staff ever time when there is a new malware, campaigns etc.
btan

Disable use of macro and active script from office and browser.
There is Cryptoprevent that doe whitelisting which you can consider
https://www.foolishit.com/cryptoprevent-malware-prevention/

Since you are using Trendmicro consider Endpoint Security https://www.trendmicro.com/en_us/business/products/user-protection/sps/endpoint/endpoint-application-control.html#features-tm-anchor

Eventually spend some time into awareness training and education, the technology can never be silver bullet if user is not vigilant. In fact they are the human firewall, run anti phishing campaign and you understand why they remain thw weakest link..
yodaa

ASKER
Disable use of macro and active script from office and browser. They use macros in excel so I they need to have it on. Disabling scrips in Browsers that can be very frustrating for Staff hmm
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
masnrock

Quarterly training should be sufficient, as along as you're also communicating about major things that are going on. Have you also worked on putting GPOs in place to lock some certain features from users, such as Powershell. Do you users have administrator access to the PCs? (If yes, do they really need to be, and you will want to look at changing this down the road)

Another thing worth an eventual look is some sort of monitoring or logging mechanism so that you can know what's going on in terms of web activity. That will also help you with identifying dangerous things going on.
yodaa

ASKER
Have you also worked on putting GPOs in place to lock some certain features from users, such as Powershell. Do you users have administrator access to the PCs? (If yes, do they really need to be, and you will want to look at changing this down the road) . Users dont have admin rights on local machines. Also could you guide me where could I disable GPO to turn off Powershell on each WKS?
btan

You can still have some sort of blacklist and whitelisting without Applocker like from GPO, under User Configuration > Administrative Templates > System.

You should be able to find the “Run only specified Windows applications” setting and double-click it to open its properties dialog. But in this case, maybe better to block explicitly specific Powershell applications (E.g. Powershell and the Powershell_ISE for both x86 and x64 in the OS) rather than restricting them, you would open the “Don’t run specified Windows applications” setting instead. To run Powershell script you will need administrator rights.
This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.
rwheeler23
Natty Greg

Lockout policy is once an infected computer is detected then it is blocked from accessing the network resources and internet until cleaned
Rich Rumble

I think your initial question was answered :) Yes, there are Trojans that are hard to detect, and go undetected for years. APT's are good examples. Google got hit with an APT, and they were doing top notch security. In your organization you should "assume breach". Do not think your not breached, think you are already and don't know it. All the best practices have been laid out already.
Least privilege, segment network with access control, apply restrictive permissions on files and folders (services) that are important, train users not to open everything they are sent.
That's it.
UTM, NextGen this-n-that, all crap if you don't have the basics.

-rich
John

Can you please come back and close the question?  Thank you.
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
John

Thank you for following up.