My response to a Cyber Attack

Sometime last week, my system fell victim to an attack. Upon observing that my system was malfunctioning and that my data consumption was beyond normal, I immediately knew that I am under a cyber attack, so I isolated the system from the public network, then I extract my 8G RAM artifact for analysis, after which I shut down the system.

I couldn't use the system again so I installed?#kalilinux?#nethunter?on my phone and installed some digital forensics tools which I will eventually use to analyse the extracted artifact.

Upon preliminary analysis, I realised that there was a trojan-?#backdoor?#malware?on my system that enable the attacker to gain access to my system and drop different malware including a bankcredspy?#trojan?which sniff for Bank credentials, cryptoware that make use of my system resources for cryptocurrency mining purposes, adware that pop up maladvert on my system, etc.

The implication was that it consumed 20gig data in less than 2days, my system became terribly slow, and my cpu, ram & drive usage were running above 90% consistently.

I couldn't use my system for over 6days because of the malware and majorly because I was analysing the extracted artifact, however, I observed that the original trojan found it way into my system through a downloaded trojan file by a friend unknowingly evading my system security.

Surprisingly, after installation of the trojan?#software?on the system, the system worked fine for about 18hrs. So probably, the trojan was designed to lay low for a period of time before it begins it original intention.

Upon digital forensic analysis I was able to discover very important information about the attacker.

1. The attacker was mining with my system resources using an XMRIG open source?#cryptocurrency?mining software.

2. The C2 of the attacker was identified to be hosted by a?#Germany?host known as?#HETZNER.

3. The C2 has about 9 different servers used by the attacker to manage all infected systems for?#cryptomining?purposes.

4. The attacker has infected over 30,000 systems which I believe to be used for cryptomining.

5. The domain used for the mining is?anuanage.info?which was registered 3months ago.

6. I was also able to get the rig-id of the attacker and the http access token.

Beyond being attacked as?#cybersecurity?professionals we should ensure that we understand how the attack was carried out and what damage the attack has done on the victims or our clients system without assumption, which is only possible through digital forensics.

Lessons

1. Always supervise anyone using your system, especially?#window?base OS.

2. Never ever assume that all regular processes are geniue because there was a malware process called windefender.exe runing from system32 folder but it was part of the strategy to evade security protocols.

3. Don't be quick to shutdown a system under attack because important information can be missed.

4. Never assume in digital forensic analysis.

5. find below in the image my discovery