topic This was resolved in the 2016 in Endpoint Security

MALWARE-CNC Osx.Trojan.Keydnap variant dropper detected

svillagrana — Fri, 21 Feb 2020 05:02:01 GMT

I'm getting this email notification, but I don't know if this is just a notification or if the network is in danger.

here is what the exact email says.

[1:40268:1] "MALWARE-CNC Osx.Trojan.Keydnap variant dropper detected" [Impact: Vulnerable] From "xx.xxx.x.xxx" at Mon Sep 26 17:52:05 2016 UTC [Classification: A Network Trojan was Detected] [Priority: 1] {tcp} 104.47.37.73:15269 (united states)->xx:xxx:xxx:xxx:25 (unknown).

Is my network being compromised, or is this just a notification that it stopped the malware? I've been getting this email notification consistently today, and we've never had an issue before.

thanks,

Hello svillagrana

kwalcott — Mon, 26 Sep 2016 18:42:59 GMT

Hello svillagrana

The intrusion event is alerting you that the Firepower sensor is seeing traffic matching this intrusion rule in your network traffic.

More information regarding this specific Malware can be found below:

https://virustotal.com/en/file/64cc212853359ec2164ceb142961db25452e576a94bc1e092417eb4cd2bf9186/analysis/

Here is some additional information regarding the malware: http://www.welivesecurity.com/2016/07/06/new-osxkeydnap-malware-hungry-credentials/

So the rule is written to detect traffic matching malicious network traffic associated with this Malware in traffic coming from $EXTERNAL_NET (IP addresses external to your local subnet) going to your SMTP servers to TCP Port 25 (SMTP).

You would need to investigate the source of this traffic and why you would be receiving such traffic directed at your Mail servers.

The intrusion event would also have a packet capture available with the packet that triggered the intrusion event for further analysis.

We opened a case with Cisco

Yonglu Jian — Wed, 28 Sep 2016 06:52:03 GMT

We opened a case with Cisco TAC and the FirePower team replied that this had been identified as false-positive.

So what can I do about the

svillagrana — Wed, 28 Sep 2016 07:49:56 GMT

So what can I do about the 50+ email notifications that I'm getting per day and throughout the night?

We are getting the same

ale — Wed, 28 Sep 2016 08:53:32 GMT

We are getting the same messages from our FirePower system.

So do we just disable the signature or what is the proposed solution from TAC?

Are they fixing their IPS Signatures and we update?

Thanks for a reply

Regards

Alex

Hi svillagrana,

Binyam Demissie — Wed, 28 Sep 2016 09:29:56 GMT

Hi svillagrana,

In the last couple of days there has been a lot of reports of 1:40268:1 (Rev 1 ) firing on email signature jpg images and as a result the rule has been modified and is pending review. A new revision of the rule (Rev 2) will be available in future SRU updates.

That said, as Kevon advised you might want to investigate this internally to determine if this is FP or not. If this is firing on outgoing emails signature jpg images, chances are it could be FP. However, events on incoming emails should be further investigated internally to determine if its from a trusted source.

Please feel free to contact Firepower TAC for further queries.

Thanks,

~ Binyam

We have the same trouble and

Jacques Brouwers — Wed, 28 Sep 2016 16:06:56 GMT

We have the same trouble and also just opened a case. Hopefully they already have the new SRU update if ours is determined to be a false-positive.

Below is their response.

Jacques Brouwers — Wed, 28 Sep 2016 16:21:04 GMT

Below is their response. However there is no ETA for the new SRU. We have decided to leave the rule in-place and just delete the 100+ messages per day until it is resolved.

-------------------------------------------------------

Action Plan: Explain issues with 40268

Our research team TALOS has confirmed that recently released SID 1:40268:1 is generating false positives for customers.

A new revision is going through the QA process now and we expect it to be released in one of the next SRU updates. For the time being, you can set 40268 to generate events only or disable it until the new revision is out.

Hi all

Hypermarcas SA — Wed, 28 Sep 2016 17:20:13 GMT

Hi all

I have the same issue here. We are investigating but looks like a FP. We will wait the next SRU to correct this FP.

Thx,

~Pablo

Hello Team,

Jetsy Mathew — Wed, 28 Sep 2016 17:23:47 GMT

Hello Team,

Please disable the signature as the new release of SRU will be out soon.

Rate and mark correct if the post helps you.

Regards

Jetsy

"However, events on incoming

s.buskus — Wed, 28 Sep 2016 23:11:57 GMT

"However, events on incoming emails should be further investigated..."

All of mine are incoming. The rule is written to trigger on incoming SMTP.

My question is, if the rule is creating false positives, will it also create a true positive for a malicious attacks? If the rule will not trigger a true positive than I will disable the rule.

As of SRU number: 2016-09-28

rwoolery1 — Thu, 29 Sep 2016 21:25:05 GMT

As of SRU number: 2016-09-28-001, no change. We have moved this to Alert only. Much of the traffic was from customers we have had for a long time. We will continue to monitor, but I believe everything we are seeing is FP at this point.

This was resolved in the 2016

Matthew Franks — Wed, 05 Oct 2016 18:27:51 GMT

This was resolved in the 2016-09-30 SRU.

Thanks,

Matthew Franks