July 14, 2017Hong Kong0
Case: Suspected Malware Intrusion
Location: Hong Kong
Brief: An employee in a Hong Kong company suspected that her laptop was hacked or infected by malware, and hence engaged us to investigate on her laptop. The investigation scope was to check for the presence of malware and \ or any compromise of data. She suspected that it might be one of her colleagues that planted malware on her laptop in order to steal confidential data.
Procedure: Upon receiving the computer, we forensically imaged the laptop and backed up the image. Next, we scanned the laptop using multiple anti-virus and malware software to search for the presence of malware. Additionally we virtualized the computer in a “sandbox” environment and examined all software and executables that had been run. Our searches identified 3 executables that were possible malware. One of these identified itself as a “Bluetooth installer”. However, this identifying metadata could be easily changed and we could see from code reverse engineering that this software had other functions. We then ran the executables in our secure “sandbox” test environment and observed their behavior. One of the executable was able to perform as a Remote Access Trojan (RAT) allowing the computer to be remote controlled from another location. The executable was configured to download a zip file from a particular website. This zip file was protected with a password which is how malicious files evade anti-virus and other security software. Lastly, we attempted to identify the first point of entry of the malware and found a web visit by the user to a particular website to download the software which identified itself as a “Bluetooth installer”. This was the closest event detectable by time in relation to the creation of the malware on the computer.
Outcome: It would seems that the user had accessed a website to download a “Bluetooth installer” which contained code hidden in a malicious file as part of this “Bluetooth software” package. That downloaded further malware when it was run. No traces of direct targeting and hacking of the computer was found.