Jump to content
NavionMI

OSTAP/Trickbot.j infection on Linux NAS

Recommended Posts

Hi, recently a client was infected with what was probably either OSTAP or TrickBot.j. Though he did have MWB on his computer, the infection went to his QNAP NAS and did some things to his shared directory there. 

It changed all the file extensions to JSE and changed the file length to 296Kb, which would normally make you think Ransomware, but it wasn't because there was no note! JPG files, by the looks of it initially, are the only files NOT altered. 

MWB later indicated TrickBot. 

If this was OSTAP, I need to find a way to recover the deleted/wiped files from this QNAP NAS. QNAP so far has been less than helpful. 
I'm including the INFECTED file here. 

Edited by AdvancedSetup
Deleted possibly infected file

Share this post


Link to post
Share on other sites

The way to recover the data files, is to restore them from your last backup.

You stated... " I'm including the INFECTED file here "

Are you stating that this DOC was your legitimate file and it was altered to be malicious in the above referenced process ?

 

 

 

Share this post


Link to post
Share on other sites

No, I'm saying that this is the infected file that the client clicked on. 

 

Share this post


Link to post
Share on other sites

Hello @NavionMI

Do you have the actual logs from the client computer? We just tested this and both the Consumer and Business products block it.

Was Malwarebytes out of date or not running or not using real time protection?

 

Share this post


Link to post
Share on other sites

Consumer was running, and it DID block it on the client computer. Not on his Linux-based QNAP NAS network share though. 

Share this post


Link to post
Share on other sites

Not familiar with that device. Does it have open connectivity to the Internet without access to the workstation?

If it was blocked at the workstation level I don't see how it could have done anything. The file may have been copied there from another process and we would not detect a dormant flat file like that.

Is it possible the NAS device was infected at some other point in time and the customer was not aware of it?

When we analyze and run the file Malwarebytes Consumer and Business both stop it and nothing happens period from that point forward.

If not too much trouble - if you can get us the logs from that system we might be able to more of what really happened.

https://support.malwarebytes.com/docs/DOC-2396

Thank you again

I'll check back on you on Monday. Have a great weekend @NavionMI

 

 

Share this post


Link to post
Share on other sites

Due to the lack of feedback, this topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread.

Thanks

 

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.