Skip to main content

Multiple suspicious connections indicating TrickBot infection

ID:suspicious_ip_trickbot
Data type:DNS,IP,HTTP,TLS
Severity:
High
-
Critical
MITRE ATT&CK:TA0011:T1071

Description

AlphaSOC detected network traffic indicative of command and control (C2) activity. C2 is a critical component of malware operations, allowing attackers to communicate with compromised systems, issue commands, and exfiltrate data. This detection indicates that one or more systems in your network may be infected with malware and are actively communicating with an attacker-controlled infrastructure.

Impact

C2 activity indicates that threat actors may have ongoing access to infected systems, enabling them to monitor activity, steal credentials, and potentially use these systems to access more sensitive or high-value resources within the network. This may result in data theft or the deployment of additional malware or ransomware.

Severity

SeverityCondition
High
Traffic to a potential command and control (C2) destination
Critical
Traffic to known command and control (C2) destination

Investigation and Remediation

Isolate affected systems to prevent C2 communication. Conduct an investigation to identity the malware, its entry point, and any actions taken by threat actors. Review network logs to understand the extent of the compromise and identify any lateral movement. After investigation, reimage affected systems, reset compromised credentials, and patch vulnerabilities that may have been exploited.