Jump to content

Undetectable RAT or unkown threat during remote work


Recommended Posts

Hello. I'm trying to figure out how someone could hack all devices in my network like laptops and smartphones, with unknown threat - probably RAT (Remote Access Trojan or Remote Administration Tool?). I don't know which malware exactly it is, but they are able to monitor my whole laptop, smartphone or network activity, and currently it's fully hidden, so it sounds like a RAT. This is a very advanced RAT which is entirely hidden, and I don't know what to look for. There is no any suspicious file or process (it's impossible to recognize it from legitimate files and processes - will I find out from the file dates?). It had to survived few formats from Windows CD, or it comes back from infected flash drives. It happened during remote work, and somehow it went from the company's laptop through my network to my private devices. I think furthermore, I will create another thread to try to remove it because it's too big. For now, I just want to know how it all happened.

Once, I had to work remotely, so I connected a company laptop to my family's network (via Wi-Fi), so I had to type the password of my network (technically it's one network, so you can connect via cable without password, and you can connect via Wi-Fi with network name and password, but it's separate password from router's admin). I knew this laptop had keylogger, Cisco AnyConnect, Microsoft's monitoring software, two VPN's, yourphone.exe, Bluetooth, enabled synchronization, domain user account (Windows), integrated OneDrive and more... It was an MDM laptop managed by IT administrators, and it was used by the other past employees before. Funny fact that at work, an IT administrator needed my permission for remote access, and I was informed about such an attempt but in my home somehow he accessed my private laptop just connecting to my network.

Exact way:
1. I typed my Wi-Fi password on the company's laptop to connect it to my network and work, so the network name and password was saved in that laptop.
2. IT administrator had to silently start remote access (there was no any information about remote access session) on company's laptop while it was in my network, and somehow it already allowed him to do something (what exactly?). He connected to all devices one by one with Cisco AnyConnect? How? He had full access to that company's laptop. My router had firewall turned off, but devices had its own Windows's firewall and were set to hidden in network (connected like to public network).

2. I didn't notice anything, expect big lags on my private laptop, so he connected from company's laptop through network via Cisco AnyConnect to my private laptop at the moment? Then I restarted private laptop, but I didn't know what is going on, so they could continue later when I wasn't checking private laptop, or they already installed something. Windows Defender and Windows firewall were sleeping well... I didn't notice lags on the company's laptop, but it was always working slower than I think it should work, so there had to be something working in the background all the time.
3. Later I realized what actually happened, and I only found already uninstalled
Cisco AnyConnect (not installed by me) on my private laptop and other files with names like "backdoor" etc. with unknown file extensions.
4. Some unknown shell with Kernel error pop up during uninstallation of some program installed be me few months ago. I replaced the drive in this laptop and formatted other devices, but RAT was still working without any signs. So
Cisco AnyConnect was used to install RAT on my devices?
5. There is still something that I can't find. I don't know if it's RAT or something else. Probably it's outside the Windows. I tried 20 different scanners and nothing is detectable. Logs from Farbar are clean too. For Malwarebytes system is clean too.

6. I think Windows Credentials are faked - that's why it's undetectable. Control Panel\User Accounts\Credential Manager had some active session with login and password ("Windows credential" and "Cerificate based credential" menu). I don't know if it's a legitimate file or not or what it was caused by.

Link to post
Share on other sites

Hello @Networkit and :welcome::

While you are waiting for the next qualified/approved malware removal expert helper to weigh in on your topic, and even though you may have run the following Malwarebytes utility, or its subsets, please carefully follow these instructions:

  1. Download the Malwarebytes Support Tool.
  2. In your Downloads folder, open the mb-support-x.x.x.xxx.exe file.
  3. In the User Account Control (UAC) pop-up window, click Yes to continue the installation.
  4. Run the MBST Support Tool.
  5. In the left navigation pane of the Malwarebytes Support Tool, click Advanced.
  6. In the Advanced Options, click only Gather Logs. A status diagram displays the tool is Getting logs from your computer.
  7. A zip file named mbst-grab-results.zip will be saved to the Public desktop, please attach that file in your next reply to this topic. Please do NOT copy and paste.

For the short time between when you post the diagnostic logs, and when your helper weighs in, please take no further self-directed remedial actions that will invalidate the diagnostic logs you will have sent.

Thank you.

Link to post
Share on other sites

I noticed that the "Allow VPN over metered networks" and "Allow VPN while roaming" options are always on, but there is no VPN connection above. Same with "Sync your settings". Interesting, now I can't access "Sync your settings" from "Accounts" (it stuck) and I couldn't access "Activity History" from "General" but this time it turned on for 5 seconds then the whole menu disappeared.
 
Option "Allow Remote Assistance connections to this computer" in "Remote Assistance" from "System Properties" self enables and when I click "Advanced" "Allow this computer to be controlled remotely" from "Remote Assistance Settings" it's enabled too. "Set the maximum amount of time invitations can remain open" is set to "6 Hours".
Link to post
Share on other sites

I can't edit posts, but this is my last update for now. I think ssh is worth mentioning and was used in this case. I think it was a remote kernel or whatever which sets up an ssh connection with port forwarding to a remote host or something like that. Whoever did this, he must be really good in networks and systems. I think it's more than just CCNA knowledge.

Link to post
Share on other sites

  • Root Admin

These type of access permissions can easily happen if you're using Microsoft software from a business on your home system and logging in with work credentials. It will ask you if you want the organization to be able to manage all apps on the system type of question.

That does not give it cart blanche access to the entire system but it does give it an incredible amount of control over applications, etc. someone intent on accessing your system from said work would have a much easier time gaining further access.

 

I'm sorry but we don't run a training facility or a forensics facility. If you're looking to see where, why, how something got onto the system or systems then I would highly suggest you reach out to a company that specializes in Forensics. They can assist you but that will require imaging all systems and generally speaking will costs in the thousands of dollars.

We can offer to help you clean the current computer or even other computers, but if you're that afraid that every system in the home has been attacked then you might be better off hiring a security firm to help as that is beyond the scope of free forum support.

 

Please let us know how you'd like to proceed. Again, we can help you to clean the current computer if you like, or even other computers but we won't look at where, why, how it got infected.

Thank you @Networkit

 

 

 

Link to post
Share on other sites

Thank you @AdvancedSetup

"These type of access permissions can easily happen if you're using Microsoft software from a business on your home system and logging in with work credentials. It will ask you if you want the organization to be able to manage all apps on the system type of question."

You mean the company laptop was "officially" managed by the company? Yes I know, so hidden remote connection to that company's laptop it was nothing special? It's like it was his laptop was connected to my network?

It seems that if someone is connected to the same network, it is very easy to get to other devices. Very easy for technician.

Let's try to fix it, but what if it's not in the system (not on Windows)? It may be in BIOS/UEFI, firmware, controller etc. (where else in PC parts it may be?). It may be faking Windows files, or it's just using Windows resources in a hidden way. It's not simple RAT, which you could disable from msconfig or find infected files with scanner. What should I look for?


Is it possible that RAT has the own hidden disc sector, and it falsifies disc size while I'm formatting Windows from CD? It has to come back somehow from somewhere.

Link to post
Share on other sites

I didn't log in home system directly with work credentials (work account). I only log in home system with candidate account and my work account was separate, but I don't know if they had access to both credentials, but both were managed by that company, so it probably doesn't matter. Anyway, I connected the company's laptop to the home router and it happened. I reported it to my supervisor, but he said it's not possible (good joke).

Link to post
Share on other sites

  • Root Admin

Okay, let's start with a couple of 3rd party AV scans. Then we'll use a Farbar scan to review again and clean as necessary. @Networkit

 

 

Microsoft Safety Scanner

Please make sure you Exit out of any other program you might have open so that the sole task is to run the following scan.   
That goes especially for web browsers, make sure all are fully exited out of and messenger programs are exited and closed as well
 

STEP 1

Please set File Explorer to SHOW ALL folders, all files, including hidden ones.  Use OPTION ONE or TWO of this article

https://www.tenforums.com/tutorials/7078-turn-off-show-all-folders-windows-10-navigation-pane.html

STEP 2

I suggest a new scan for viruses & other malware. This may take several hours, depending on the number of files on the system and the speed of the computer.

The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted software from a system. 

The download links & the how-to-run-the tool are at this link at Microsoft 

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

 

Look on the Scan Options & select the FULL scan.

Then start the scan. Have lots of patience. It may take several hours.

  • Once you see it has started, take a long long break;  walk away.  Do not pay credence if you see some intermediate early flash messages on the screen display.  The only things that count are the End result at the end of the run.
  • The scan will take several hours.  Leave it alone. It will remove any other remaining threats as it goes along.  Take a very long break, do your normal personal errands .....just do not use the computer during this scan.

This is likely to run for many hours as previously mentioned  ( depending on the number of files on your machine & the speed of the hardware.)

The log is named MSERT.log  and the log will be at C:\Windows\debug\msert.log

Please attach that log with your next reply.

 

It is normal for the Microsoft Safety Scanner to show detections during the scan process.

It is scanning for basically all bread crumbs or traces of files and registry entries that "might" be or have been part of some infection or previous infection.

That DOES NOT mean the computer is infected. Once the scan has been completed it uploads the log to their Cloud service which then uses Artificial Intelligence to determine if in fact any of the traces are an infection or not.

Then it writes into the log on your computer what it found.

 

Thank you

 

Link to post
Share on other sites

Thank you @AdvancedSetup

I've already tried these scanners after new format. I scan with these scanners from time to time, but even when the RAT was actually active - it was undetected by any of these scanners. It's a very advanced RAT or something else. What else it can be? Somehow, the scanners can't detect it. I don't know how this malware is made.

New scans:
- AdwCleaner (no detection)
- aswMBR (crashing during scan, can't complete scan)
- Emisoft Emergency Kit (no detection)
- Eset Online Scanner (detected USB Disc Security as PUP Win32/Adware.Linkzb.A)
- Farbar Recovery Scan Tool (no detection - done after very fresh format and checked by specialist)
- Farbar Service Scanner (?)
- F-Secure Online Scanner (no detection)
- Microsoft Safety Scanner (no detection)
- RKill (no detection)
- Sophos Virus Removal Tool (no detection)

I tried them a few weeks ago, but I will do new scans this week:
- ClamWin
- Diag
- HouseCall
- Malwarebytes
- Norton Power Eraser
- Panda Cloud Cleaner
- RogueKiller
- SUPERAntiSpyware
- Stinger
- Zemana AntiMalware
- Windows Defender

Can you recommend any other tools?

msert.log

Link to post
Share on other sites

  • Root Admin

If you have done a format then try an actual CLEAN install which includes deletion of ALL partitions. Then, do not use a Microsoft Online account for the installation.

 

Greg Carmack - MVP 2010-2020 -Clean Install Windows 10
https://answers.microsoft.com/en-us/windows/forum/windows_10-windows_install/clean-install-windows-10/1c426bdf-79b1-4d42-be93-17378d93e587

How to Create a Local Account While Setting Up Windows 10
https://www.howtogeek.com/442792/how-to-create-a-local-account-while-setting-up-windows-10/

 

Then do a Factory reset on your router

 

If you own your own router and are not renting it from your Internet Service Provider

Please ensure that you have the user manual for your router. Then perform a factory reset.

How To Reset Your Router
https://setuprouter.com/networking/how-to-reset-your-router/

Depending on one's preferences and the Router's capabilities please consider the following.

  • Disable acceptance of ICMP Pings
  • Change the Default Router password using a Strong Password
  • Use a Strong WiFi password on WPA2 using AES encryption or Enable WPA3 if it is an option.
  • Disable Remote Management
  • Create separate WiFi networks for groups of devices with similar purposes to prevent an entire network of devices from being compromised if a malicious actor is able to gain unauthorized access to one device or network.
    Example: Keep IoT devices on one network and mobile devices on another.
  • Change the network name (SSID).  Do not use your; Name, Postal address or other personal information.  Make it unique or whimsical and known to your family/group.
  • Is the Router Firmware up-to-date ?  Updating the firmware mitigates exploitable vulnerabilities.
  • Specifically set Firewall rules to BLOCK;   TCP and UDP ports 135 ~ 139, 445, 1234, 3389, 5555 and 9034
  • Document passwords created and store them in a safe but accessible location.

 

 

Link to post
Share on other sites

At that time, I deleted all partitions from the disc with the Windows CD functions and installed fresh Windows from the CD offline. I never used Microsoft Online account for the installation.

I rent a router, but I have done a factory reset with button several times before I connected it to internet. I created new very strong password and SSID name, also I disabled remote management and WPS.

I wanted, but I can't create separate network for Wi-Fi because it only can have support only one network. It's updated (no longer supported).
 
And after this, RAT was still active. I did it again a few weeks ago.
 
I will check this:
  • Disable acceptance of ICMP Pings
  • Specifically set Firewall rules to BLOCK;   TCP and UDP ports 135 ~ 139, 445, 1234, 3389, 5555 and 9034
 
 
Link to post
Share on other sites

  • Root Admin

Well, perhaps you should consider visiting a local computer shop that specializes in security. Take in all computer, router, phone equipment and have them assist you.

No cleaning that we can assist you with would help. I am skeptical of the process you're doing though as I've been doing Enterprise level support for over thirty years now and though it is possible to attack a computer during the installation process it is extremely rare.

In most cases if the computer does get compromised after install it is often due to other programs that were installed and not due to Windows itself. Attacks are typically looking for exploits.

 

Link to post
Share on other sites

  • Root Admin

Again, following the advice from the link below would be the best option. DO NOT use your CD/DVD installer. It is way too old.

Download new install media and burn to a USB thumb-drive for installation media. DO NOT install any 3rd party software at all until Windows is fully installed and up to date and verified to be clean.

 

Greg Carmack - MVP 2010-2020 -Clean Install Windows 10
https://answers.microsoft.com/en-us/windows/forum/windows_10-windows_install/clean-install-windows-10/1c426bdf-79b1-4d42-be93-17378d93e587

How to Create a Local Account While Setting Up Windows 10
https://www.howtogeek.com/442792/how-to-create-a-local-account-while-setting-up-windows-10/

Link to post
Share on other sites

  • Root Admin

You can tell them all the same things you've told us.

I'm saying that by using an old installer you have to try to update to too many updates and patching files, etc.

Using a new ISO image to a new USB thumb drive installation is the best way to do it as the computer will be up to date with patches thus greatly reducing the threat surface of the computer during the install.

 

Link to post
Share on other sites

  • Root Admin

Out of billions of computers out there I've only seen a handful of computers that say they were able to infect but none that were verified by multiple security companies. So unless your a billionaire or some other State Level threat worth wasting million dollar technology on I seriously doubt it.

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.