We're gradually updating threat actor names in our reports to align with the new weather-themed taxonomy. Learn about Microsoft threat actor names
Trojan:MSIL/CreepyWink.B!dha
Aliases: No associated aliases
Summary
Microsoft Defender Antivirus detects and removes this threat.
This threat has been observed to be used by Plaid Rain. It monitors and records keystrokes on the target device.
Read the following blog for more information:
Microsoft Defender Antivirus automatically removes threats as they are detected. If you have cloud-delivered protection, your device gets the latest defenses against new and unknown threats. If you don't have this feature enabled, update your antimalware definitions and run a full scan to remove this threat.
To help reduce the impact of this threat, you can:
- Validate the alert.
- Immediately isolate the affected device. If malware was installed, attackers might already have complete control over the device.
- Identify the credentials that were used on the affected device and consider all associated accounts compromised. Reset passwords or disable the accounts. This includes cached credentials saved in the Windows credential vault.
- Inspect the affected device for the presence of other malware or tools.
- Check for lateral movement activity using one of the compromised accounts using WMI, named pipes, or PsExec. If sensors are in a healthy state, check for alerts triggered by these activities.
- Look for alerts named "Suspicious decoded content". These alerts trigger on the presence of Cobalt Strike beacons on your network and for alerts for PowerShell abuse.
- Initiate an incident response process, focusing on responding to possible data exfiltration and ransomware deployment, both of which attackers might have already performed. Contact your incident response team, or contact Microsoft support for investigation and remediation services.
- Scope the incident. Find related devices, network addresses, and files in the incident graph.
- Contain and mitigate the breach. Stop suspicious processes, isolate affected devices, decommission compromised accounts or reset passwords, block IP addresses and URLs, and install security updates and patches.
