Preventing and remediating an attempted malware infection

Solis MDR recently investigated and remediated an attempt to infect a customer endpoint with downloader malware. The speed and precision with which we were able to do this highlights how our involvement saves customers’ time as well as keeping them safe.

The attempted malware infection came to light when our endpoint detection tool SentinelOne raised an alert. This indicated the presence of a potentially malicious file on a customer device. On investigation, our team subsequently identified this as a particular type of downloader malware called GootLoader.

Gootloader is typically the first step on the path to a more damaging infection. Like other downloader malware, its function is to download additional payloads from a threat actor’s server onto the target device, where they can start causing real damage.

A successful infection could have had very serious consequences for the customer. It would have enabled GootLoader to begin downloading anything from banking Trojans to infostealers. SentinelOne prevented this happening.

Solis MDR analysts then stepped in quickly. We identified and remediated all artefacts related to the attempted infection, pieced together a full timeline of what had happened, and advised the customer on what to do to prevent reoccurrence.

Initial download and execution

Reviewing the web request logs generated by SentinelOne enabled Solis MDR’s analysts to determine that the user of the affected device was browsing for work-related web content when they were redirected by a malicious search engine result.

This led to the unsuspecting user downloading and opening a ZIP archive, inside which they clicked on a malicious JavaScript file. According to VirusTotal, an online service that checks the reputation of files and URLs, this JavaScript file had been detected by just two security vendors at the time of this incident. So, it is unlikely it would have been picked up on by a traditional file-focused anti-virus solution.

When it was run, the file wrote a further malicious script to an AppData folder forming part of a legitimate software package. It then attempted to establish persistence by creating a scheduled task that would run the script on a regular basis.

Detection, investigation, and remediation

It was at this point, however, that the attack was stopped in its tracks. SentinelOne detected that it was witnessing behaviour likely to have been associated with malware. Within seconds, it had terminated the associated process, quarantined the script files, and removed the scheduled task.

Solis MDR’s analysts then moved fast to review the detection. We were able to check the system remotely to validate that SentinelOne’s remediation had been successful. We also identified and removed an additional artefact. This was the ZIP archive in the user’s Downloads folder containing the script that had triggered the malicious activity.

By correlating this file’s attributes with the log data from SentinelOne, we were able to piece together the full story and provide the customer with the exact URL from which the file had been downloaded as well as the likely path the user took to get there.

Notification and recovery actions

We collated all this information into an incident ticket and sent a notification to the customer within just 45 minutes of the initial alert. In this, we described what had been detected, what Solis MDR did to investigate it, and what we had done to remediate the effects of the malicious activity.

Our service focuses on targeting the specific artefacts associated with an attempted malware infection. This saves time for our customers’ users and IT teams, because we can normally return affected devices to a known good state and so avoid the need for these to be completely rebuilt. Because Solis MDR’s investigation revealed the full timeline of the incident, we were also able to advise the customer of the exact URL from which the malicious file was downloaded, enabling them to block this domain within their network.

By identifying that the URL was likely visited via a search engine result, we also equipped the customer with the information they would need to speak to the affected user and encourage them to exercise increased vigilance in future.