Guardicore - Using GuardiCore Reputation Services to Detect Dormant and Hidden Threats

Using GuardiCore Reputation Services to Detect Dormant and Hidden Threats

Imagine this, you’ve been coming to the office for the past few months, contacting customers, updating and documenting important information, sending confidential corporate emails, connecting to critical databases in the network data center, and all this time someone, or more precisely something, is watching your every move. A malware is on the loose in your network, collecting information, harvesting credentials and abusing them to connect to those same databases that you cherish.

Reputation-based breach detection

With today’s security perimeter and endpoint defenses, one would expect that at least known malware, or variants of known malware would be kept out of the core network. But reality proves otherwise on a daily basis! Known malware regularly finds its way in, all the way to the critical corporate data center.

Commonly, yours is not the first network this malware has compromised. Someone, somewhere, is already aware of it and of its bad reputation. What you’re missing is an automated and real-time process to discover the infection anywhere in your network (including your under-protected data center), enjoying the vast community knowledge available by the cloud.

GuardiCore’s patented dynamic deception quickly flushes out active breaches by detecting their lateral movements. But sometimes threats lay dormant and do not move laterally, making them more difficult to spot. Integrated into Centra, our flagship product, GuardiCore’s new Reputation Services allows customers to detect an attacker even if lateral movement was not performed, surfacing dormant and hidden threats lurking in the data center and eliminating them before they can be activated. It identifies IOCs (indicators of compromise) based on suspicious domain names, IP addresses and file hashes associated with known malicious activity.

GuardiCore Reputation Services leverages GuardiCore’s network of attack sensors and deception engines, threat intelligence feeds and the insights of our security research team. It also distinguishes “negative processes” indicating the presence of an untrusted asset that warrants investigation. All of the above are analyzed by the GuardiCore Reputation Services Cloud and if a specific flow is determined as malicious or as suspicious activity, a detailed incident is reported in real-time along with IoC’s and mitigation actions.

A real world example – Rasmans.exe

While activating the new GuardiCore Reputation Analysis on a customer’s data center, GuardiCore systems alerted on a high risk incident event. This incident led the GuardiCore cyber security team to discover a malware which had compromised the company network.

The malware, Rasmans.exe, is a variant of a known malware, tailored for this specific customer’s network (IOCs to follow). The malware establishes a connection to a C&C server and awaits commands. These commands can later enable the malware to extract sensitive data from the company’s network and compromised systems.

A detailed and in-context view of the attack

The incident was reported by the GuardiCore Centra Security Platform as a high risk incident involving a suspicious process.

Further incident information, only one click away, available by the GuardiCore Reveal, a key component of the GuardiCore Centra Security Platform, enables a network view of all relevant processes, services and connections which had happened around the same time of the reported incident. This information unveiled the incident: one of the customer’s SQL databases was attempting to connect to an internet server using the specific port 31001, by a process named rasmans.exe.

The Guardicore Reputation Service triggered the incident alert, determining that the Rasmans.exe file is a malicious service based on known characteristics of the malware.

Exfiltration

Further investigation of the Rasmans.exe process led to the following configuration, indicating that mei31001.mg2028.com is the C&C server which the malware is attempting to connect to.

A simple whois query revealed that the Host of the C&C server, is situated in the Sichuan province of China.

GuardiCore Centra Security Platform generated all relevant IoC’s, including hashes, filenames, directories, C&C information and more, thus enabling automatic detection of other compromised systems in the customer’s network. By using the Reveal data filters we could easily detect all other compromised systems in the network.

A simple filter reveals all the compromised systems, enabling a network view of the imminent risk, which in turn enabled a swift mitigation of the attack. By following the GuardiCore Centra Security Platform’s mitigation suggestions the company prevented the threat from spreading and was able to further prevent the attack.

Detection and Prevention

Especially concerning is the fact that Rasmans.exe is a variant of a known malware, and yet was still able to bypass traditional perimeter and internal security controls. This highlights the importance of Reputation Services as a vital component in the GuardiCore Centra Security Platform, enabling the detection of malware variants and mitigating the attack. This means, at this stage, mitigation involves deploying a reputation-based analysis service as part of an existing security platform.

Conclusion

Rasmans.exe is a variant of a known malware, able to receive a large range of commands, enabling credential theft, abuse, data exfiltration and many more actions, making this malware a dangerous threat to large organizations. Especially concerning is the fact that Rasmans.exe is a variant of a known malware, and yet was still able to bypass external and internal security platforms. This highlights the importance of Reputation services as a component in an existing security platform in today’s modern data centers and corporate networks to enable detection of such malware variants and attack mitigation.

 

IoC’s:

FileName: Rasmans.exe

Directory: C:\Windows\SysWOW64\Rasmans.exe OR C:\WINDOWS\system32\

Hash (MD5): DB96D99531EFD6F20157BE2450015CC9

C&C Domain:  mei31001.mg2028.com:31001

File Description: Local Access Connection Manager

Product version: 10.0.0.0

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *

CAPTCHA ImageChange Image

‹ Back to Guardicore Blog