Attention: We have transitioned to a new AAD or Microsoft Entra ID from the week of May 20, 2024. In case your tenant requires admin consent, please refer to this document located at Overview of user and admin consent - Microsoft Entra ID | Microsoft Learn and grant access to App ID: 6ba09155-cb24-475b-b24f-b4e28fc74365 with graph permissions for Directory.Read.All and User.Read for continued access. While the app may appear unverified, you can confirm its legitimacy by verifying the App ID provided.
Trojan:Script/Malgent is a malicious trojan proficient in using various scripting languages to carry out harmful operations within compromised devices. This threat adapts to diverse scripting environments, enabling the launch of a broad spectrum of malicious activities. Its ability to seamlessly operate across multiple scripting languages adds complexity to its impact on compromised devices, underscoring the challenge in mitigating its sophisticated influence.
To mitigate the issue, follow these steps:
Apply security updates promptly, especially for the specified vulnerabilities, on all applications and operating systems. Consult the Microsoft Security Update Guide for comprehensive information on available Microsoft Security updates.
Follow the principle of least privilege and maintain credential hygiene. Avoid using domain-wide, admin-level service accounts. Restrict local administrative privileges to mitigate the potential installation of remote access trojans (RATs) and other undesirable applications.
Network segmentation is useful in constraining the propagation of malware infections. The process involves partitioning a network into smaller segments, effectively confining an infection to a single segment rather than permitting its unrestricted spread across the entire network.
Promote the use of Microsoft Edge and other web browsers that support SmartScreen, a feature identifying and blocking malicious websites, including phishing sites, scam sites, and those hosting exploits or malware.
Block the launch of downloaded executable content by disabling JavaScript or VBScript.
Threat behavior
Trojan:Script/Malgent is a malevolent trojan with expertise in utilizing various scripting languages to execute harmful operations within compromised devices. This versatile threat adapts to various scripting environments, initiating a wide range of malicious activities. Its operation across multiple scripting languages adds complexity to its impact on compromised devices, underscoring the challenge in effectively mitigating its sophisticated influence.
The covered scripting languages include, but are not limited to:
JavaScript
VBScript
PHP
ASP/ASPX
Visual Basic Application
BAT
PowerShell
And more...
These scripts are commonly used to perform specific tasks such as:
Trojan tools attack enterprises more often than individuals. Following the mitigation steps below can help prevent trojan attacks.
Keep backups so you can recover data affected by trojans and destructive attacks. Use controlled folder access to prevent unauthorized applications from modifying protected files.
Secure Remote Desktop Gateway using solutions like Azure Multi-Factor Authentication (MFA). If you don’t have an MFA gateway, enable network-level authentication (NLA).
Monitor for brute-force attempts. Check excessive failed authentication attempts (Windows security event ID 4625).
Turn on cloud-delivered protection and automatic sample submission on Microsoft Defender Antivirus. These capabilities use artificial intelligence and machine learning to quickly identify and stop new and unknown threats.
Turn on attack surface reduction rules, including rules that block credential theft, ransomware activity, and suspicious use of PsExec and WMI. To address malicious activity initiated through weaponized Office documents, use rules that block advanced macro activity, executable content, process creation, and process injection initiated by Office applications. To assess the impact of these rules, deploy them in audit mode.
Utilize the Windows Defender Firewall and your network firewall to prevent RPC and SMB communication among endpoints whenever possible. This limits lateral movement as well as other attack activities.
Turn on tamper protection features to prevent attackers from stopping security services.
When a device is infected by Trojan:Script/Malgent, users may observe the following symptoms:
Abnormal device behavior: The Trojan:Script/Malgent infection can lead to irregular system operations, causing unexpected sluggishness, device freezes, or abrupt crashes.
Web browser irregularities: Targeting JavaScript, Trojan:Script/Malgent causes peculiarities in web browsers, causing users to witness sudden redirects, intrusive pop-ups, or alterations in default settings.
Unanticipated network activities: Trojan:Script/Malgent can initiate unauthorized network connections, resulting in uncommon network behavior. Users should monitor unexpected data transfers or connections to unfamiliar IP addresses.
Alterations in file structures: Trojan:Script/Malgent has the potential to manipulate or generate new files, particularly within JavaScript files or system directories.
Elevated CPU utilization: Users may notice a significant increase in CPU usage as the Trojan executes its obfuscated JavaScript code, consuming substantial system resources.
Browser-centric attacks: Focusing on JavaScript, users might face browser-based attacks, including the injection of malicious scripts into web pages, posing a direct threat to the security of online activities.