Meraki Community

Mr_Dangol · ‎Nov 7 2022

Hello Community,

We are keep getting following events: Win.Trojan.ModernLoader inbound communication attempt, under Security/SD-WAN/Security Center. FYI, Src IP is ERP system, and Dest IP is one of Endpoints in the local network.

Is this a false positive or a serious malicious attempt? any help would be much appreciated!

alemabrahao · ‎Nov 7 2022

Have you checked the source and destination?

MALWARE-CNC -- Snort has detected a Comand and Control (CNC) rule violation, most likely for commands and calls for files or other stages from the control server. The alert indicates a host has been infiltrated by an attacker, who is using the host to make calls for files, as a call-home vector for other malware-infected networks, for shuttling traffic back to bot owners, etc

Rule Explanation

Alerts on traffic produced by Win.Trojan.ModernLoader malware to or from the C2 server.

What To Look For

Alerts on traffic produced by Win.Trojan.ModernLoader malware to or from the C2 server.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

Mr_Dangol · ‎Nov 7 2022

Yes , the source is Our own ERP running server, and destination is a user endpoint. Is there any resolution to block this event reoccurrence without impacting other user access to ERP. thanks!