OSTAP/Trickbot.j infection on Linux NAS

[NavionMI]

Hi, recently a client was infected with what was probably either OSTAP or TrickBot.j. Though he did have MWB on his computer, the infection went to his QNAP NAS and did some things to his shared directory there. 

It changed all the file extensions to JSE and changed the file length to 296Kb, which would normally make you think Ransomware, but it wasn't because there was no note! JPG files, by the looks of it initially, are the only files NOT altered. 

MWB later indicated TrickBot. 

If this was OSTAP, I need to find a way to recover the deleted/wiped files from this QNAP NAS. QNAP so far has been less than helpful. 
I'm including the INFECTED file here. 

Edited January 24, 2020 by AdvancedSetup
Deleted possibly infected file

[David H. Lipman]

The way to recover the data files, is to restore them from your last backup.

You stated... " I'm including the INFECTED file here "

Are you stating that this DOC was your legitimate file and it was altered to be malicious in the above referenced process ?

 

 

 

[David H. Lipman]

The Forum Administrator removed the malicious document that was the "source" of the client's infection that affected that NAS.

RE: Probable DOC macro downloader

[NavionMI]

No, I'm saying that this is the infected file that the client clicked on. 

 

[AdvancedSetup]

Hello @NavionMI

Do you have the actual logs from the client computer? We just tested this and both the Consumer and Business products block it.

Was Malwarebytes out of date or not running or not using real time protection?

 

[NavionMI]

Consumer was running, and it DID block it on the client computer. Not on his Linux-based QNAP NAS network share though. 

[AdvancedSetup]

Not familiar with that device. Does it have open connectivity to the Internet without access to the workstation?

If it was blocked at the workstation level I don't see how it could have done anything. The file may have been copied there from another process and we would not detect a dormant flat file like that.

Is it possible the NAS device was infected at some other point in time and the customer was not aware of it?

When we analyze and run the file Malwarebytes Consumer and Business both stop it and nothing happens period from that point forward.

If not too much trouble - if you can get us the logs from that system we might be able to more of what really happened.

https://support.malwarebytes.com/docs/DOC-2396

Thank you again

I'll check back on you on Monday. Have a great weekend @NavionMI

 

 

[AdvancedSetup]

Due to the lack of feedback, this topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread.

Thanks