I searched this website (bleepingcomputer.com) with one of the IOC (indicator of compromise) of a click fraud / trojan (depending on which advisory you follow) malware, as there is no thread / article with this information. I'm posting in the interest of the community and reseachers. This seems to be a moderately sophisticated type of attack involving new genre of malware which do not have residual files on the system and hence are termed "Fileless" malware.
I found this while helping a friend of mine with his PC. Since I had configured logging for his PC, I saw in logs that msiexec.exe was connecting to soplifan[.]ru ... Doing some research I saw this domain as part of two (maybe one single) campaign involving fileless malware.
Read more here:
I personally allow limited executable files internet access. I restrict internet access to msiexec.exe which in most circumstances will contact Microsoft and / or publisher of a software to check for digital signature of the software being installed. I usually compare file checksum or PGP signature and hence don't need msiexec.exe to connect to the internet.
While I haven't completed analysis of my friends machine, what are thoughts of members who have seen this / such malware on a proactive fix?
I recommend my friends to disable (through ACL) / uninstall PowerShell which does take care of moderate to advance type of attacks especially fileless malware attacks. Are there any other steps for this type of attacks?
Edited by _Guess_Who_, 19 November 2017 - 09:37 AM.