Solved: FMC Malware-CNC Win.Trojan Variant Outbound Connection

mjoseph20 · ‎07-18-2023

Hi there everyone, so over the last few weeks I've noticed and uptick in our FirePower devices sending alerts regarding about various malware/IOC's taking place on one of my web servers. My understanding when reading through these alerts is that someone (the source IP) is attempting to exploit my web server (destination host). I don't believe there to be an actual compromise of the server since the source are the bad actors IP address. When I review the IOC's in FMC, it shows that FMC has dropped the traffic. Here's an example one my most recent attacks:

[1:47299:1] "MALWARE-CNC Win.Trojan.Remcos variant outbound connection" [Impact: Vulnerable] From "FTD" at Tue Jul 18 12:53:47 2023 UTC [Classification: A Network Trojan was Detected] [Priority: 1] {tcp} 139.59.183.83:34488 (united kingdom)->172.21.x.x:80 (unknown).

In this case it's showing that that the source IP 139.59.183.83 is attempting to upload a network trojan to my web server 172.21.x.x over port 80 (we have https redirects in place). Now FMC shows that the inline result states the connection was dropped. Am I understanding this correctly, that the bad actors attempt to upload a network trojan was detected and dropped? And that this in fact an attack being attempted on my web server?

Or is it that something is on my web server is making an outbound call as based on the alert name "...outbound connection". I have reviewed the connection events related to the source IP and they are in-fact showing the inbound connection to my web server was blocked. I just need a bit of a sanity check to make sure my thought process that this attack began from the outside and was blocked by the FW's. I have found no evidence in the connection logs to suggest that the web server is making outbound calls to these malicious IP's.

Cisco_Virtual_Engineer · ‎07-26-2023

When the Firepower Management Center shows an alert of a detected and dropped network trojan, it means that the system has identified and blocked a network trojan threat. The intrusion event has been detected by the system and the network traffic containing the trojan has been dropped, preventing any further damage.

The Firepower Management Center provides external alerting for such intrusion events, which can be via SNMP, syslog, and email. These alerts can be configured in the intrusion policy settings.

- SNMP alerting can be enabled in the intrusion policy editor with individual rules configured to send SNMP alerts when they trigger. SNMP traps can be sent to a specified server, and SNMP v3 options are available by default for authentication and privacy.

- Syslog alerting can also be enabled in the intrusion policy editor. Intrusion events can be sent to the managed device's syslog or to external syslog hosts. Facilities and priorities can be configured for the syslog alerts.

- Email alerting can be configured in the Firepower Management Center's Policies ) Actions ) Alerts section. Specific rules or rule groups can be selected for email alerting. The email sender and recipients can be specified, and options for coalescing alerts and setting the maximum number of alerts per time interval are available. The alerts can also be configured for summary output displaying concise information about the intrusion events.

From your comment "I have found no evidence in the connection logs to suggest that the web server is making outbound calls to these malicious IP's", it seems you are correct that the attack began from outside and was successfully blocked by your Firepower system.

Sources:
[Firepower Management Center Configuration Guide, Version 6.0](https://www.cisco.com/c/en/us/td/docs/security/firepower/60/configuration/guide/fpmc-config-guide-v60/Configuring_External_Alerting_for_Intrusion_Rules.html)

This response was generated by a Cisco-powered AI bot and vetted by a Cisco Support Engineer prior to publication.
This is part of a monitored experiment to see if the bot can help answer questions alongside community members. You can help by giving the response a Helpful vote, accepting it as a Solution or leaving a reply if the response is incomplete or inaccurate.

View solution in original post

Cisco_Virtual_Engineer · ‎07-26-2023

When the Firepower Management Center shows an alert of a detected and dropped network trojan, it means that the system has identified and blocked a network trojan threat. The intrusion event has been detected by the system and the network traffic containing the trojan has been dropped, preventing any further damage.

The Firepower Management Center provides external alerting for such intrusion events, which can be via SNMP, syslog, and email. These alerts can be configured in the intrusion policy settings.

- SNMP alerting can be enabled in the intrusion policy editor with individual rules configured to send SNMP alerts when they trigger. SNMP traps can be sent to a specified server, and SNMP v3 options are available by default for authentication and privacy.

- Syslog alerting can also be enabled in the intrusion policy editor. Intrusion events can be sent to the managed device's syslog or to external syslog hosts. Facilities and priorities can be configured for the syslog alerts.

- Email alerting can be configured in the Firepower Management Center's Policies ) Actions ) Alerts section. Specific rules or rule groups can be selected for email alerting. The email sender and recipients can be specified, and options for coalescing alerts and setting the maximum number of alerts per time interval are available. The alerts can also be configured for summary output displaying concise information about the intrusion events.

From your comment "I have found no evidence in the connection logs to suggest that the web server is making outbound calls to these malicious IP's", it seems you are correct that the attack began from outside and was successfully blocked by your Firepower system.

Sources:
[Firepower Management Center Configuration Guide, Version 6.0](https://www.cisco.com/c/en/us/td/docs/security/firepower/60/configuration/guide/fpmc-config-guide-v60/Configuring_External_Alerting_for_Intrusion_Rules.html)

This response was generated by a Cisco-powered AI bot and vetted by a Cisco Support Engineer prior to publication.
This is part of a monitored experiment to see if the bot can help answer questions alongside community members. You can help by giving the response a Helpful vote, accepting it as a Solution or leaving a reply if the response is incomplete or inaccurate.

mjoseph20 · ‎08-03-2023

Thanks for confirming my thoughts on this. I figured that these were blocked inbound attacks, however the way the alerts are worded it makes it sound like there's an active attack taking place.