Meraki

Community

Win.Trojan.ModernLoader inbound communication attempt

Mr_Dangol
Just browsing
‎Nov 7 2022 7:37 AM
‎Nov 7 2022 7:37 AM

Win.Trojan.ModernLoader inbound communication attempt

Hello Community,

We are keep getting following events:  Win.Trojan.ModernLoader inbound communication attempt, under Security/SD-WAN/Security Center. FYI, Src IP is  ERP system, and Dest IP is one of Endpoints in the local network. 

 

Is this a false positive or a serious malicious attempt?  any help would be much appreciated!

0 Kudos
2 Replies 2
alemabrahao
Kind of a big deal
Kind of a big deal
‎Nov 7 2022 7:45 AM
‎Nov 7 2022 7:45 AM

Have you checked the source and destination?

 

MALWARE-CNC -- Snort has detected a Comand and Control (CNC) rule violation, most likely for commands and calls for files or other stages from the control server. The alert indicates a host has been infiltrated by an attacker, who is using the host to make calls for files, as a call-home vector for other malware-infected networks, for shuttling traffic back to bot owners, etc

 

 

Rule Explanation

Alerts on traffic produced by Win.Trojan.ModernLoader malware to or from the C2 server.

What To Look For

Alerts on traffic produced by Win.Trojan.ModernLoader malware to or from the C2 server.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
Mr_Dangol
Just browsing
‎Nov 7 2022 9:39 AM
‎Nov 7 2022 9:39 AM

Yes , the source is Our own ERP running server, and destination is a user endpoint. Is there any resolution to block this event reoccurrence without impacting other user access to ERP. thanks!

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.