Has anyone experienced this or similar recently? We've seen multiple unrelated clients get hit with something that resembles a worm. It appears to use mimikatz to steal passwords for the currently logged on user (Active Directory) and then reaches out to other PCs on the network and uses psexec to run something. I assume it's trying to steal the next computer's username/password and so on. Processes can be seen in Task Manager running under other user accounts that are NOT logged into the PC. The users (which have never otherwise logged into the PC) then have profiles in C:\users. This process leaves the PSEXECSVC Windows service (visible in services.msc) and saves mimikatz.exe and other random KB_______.exe and ms_______.exe files in C:\ProgramData and C:\users\username\appdata\roaming and \appdata\local\temp. It seems to disable the Windows Firewall and Windows Update services, and it breaks Show Hidden Files so it can't be turned on or off.
Users have complained of audio/music playing in the background, and we've found .mp3 files in c:\users\username\appdata\roaming. It's hard to recover from this because cleaning the PCs one by one is great until an infected one is turned back on with network connectivity and hits all the cleaned/rebuilt ones again.
The thing that's most worrying to me is that I can't find much about this online. This appears to be the closest thing: http://blog.cylance.com/operation-cleaver-net-crawler
Any ideas what this could be? It seems to be getting more popular last week and this week, as I've never seen anything like it before and now have multiple cases.
Edited to add: It seems that Hitman Pro finds a dro.exe file on many of the infected PCs. It's in a Temporary Internet Files folder.
Edited by itasor, 30 March 2015 - 10:35 AM.