How to know if your PC is hacked

How can you speak if your pc is hacked??

It is one of the most general questions everybody have. In this blog we will look at your network activity and figure out if there's anything suspicious going on in your computer. If you are connected to any threat actors or not. In the previous blog in the series, which is our beginner's guide to cyber security, we throw some light at different ways malware can stay on your system with scheduled tasks, auto runs andwindows services. As routine we're going to have a live discord workshop where we're going to look at your system right after this blog premieres. So you should really go to discord.tbsc.tech or follow the link in description for that.

Now lets jump to our main point and make this a really interesting blog, we have a wonderful volunteer on the desktop. It's called intel.xmrig. The second part of the extension might give you an idea about what it will do. But we will move forward and run this file. Now some of you may think that anytime there is a malicious actor active on your computer, if you're hacked, you're going to have a malware process or you're having some sort of malware running that you can scan, that you can see in your process list or you can upload to vars total and check the detections of or something. An antivirus scanner is going to find that but as we'll see here that it is not necessarily the case. So after running this sample i'm just going to open up process explorer and you will see we do not have anything malicious running on the system. It looks just fine and clean and good to go but as we'll dive deep you will see that we have a crypto miner embedded within the system that is going to be taking up cpu resources and profiting the attacker. Another thing to note before we get started is all the tools we'll be using in this blog are basically part of the sys internal suite so there's no paid tools. These are all free ware which you can download directly from microsoft. You can surely dive deeper with wireshark but we will not need to do that because what we're trying to establish is a connection to a certain malicious ip and what we want to capture is the malware actors ip address. Because it will allow us to not only shut down the malware activity on our system but also report them to authorities to get them shut down. In general you don't certainly need to actually look at the communications or the packets that are being sent back and forth. You should know if there is a suspicious connection being made and as we're talking you can notice, svchost.exe all of a sudden starts to take up 50% of the cpu and look at the ram it's taking up as well and it says it's a host process for windows system and it's correct. So what's happening here is hard to tell unless we look at the network activity. We will also be going to open task manager just to show you what a typical user would see. So there's no malicious process here. We just have the system taking up 50% of cpu. If you are normal user you might think that this is just an update. Especially now that updates do actually regularly cause annoyances but as we'll discover when we check the ip address, This is not an update. It is a crypto miner mining ethereum on our system. So what we will do with that? First step we will right click on this and click on properties and within these sections it's typically going start at image. You need to go to tcpip and this is going to show us the different network connections established by this particular process. As you can see we have a remote server here, we have two of them in fact and these are likely nodes that the threat actor is using to run their malware operation. Sometimes these can be self-hosted by the threat actor, sometimes they may be a third party like they can be a google server, an awsome server. Even if that's the case what you can do is you can collect this ip and write down a complaint saying that this particular ip address is being used for malicious purposes and the vendor who's providing services to the threat actors should be able to shut them down because that would be against their terms of service.

Please make sure you have resolve addresses checked over here because that's going to show you more details. If we go back to the original window just exit out and check the command that was used when starting svchost.exe and you can see huge string of random characters here that is likely some kind of a key and you can also see opencl cpu max threads that's likely instructions for the miner. Now we can, of course, go ahead and kill the process tree. But in order to make sure that the miner goes away, what we would have to do is, look for any persistence mechanisms that it may have on the system, which is something we discussed in the last blog, to get a better view of this though and also to get a summary of all the connections your computer is currently making, you can go to tcp view which is also part of system journals and this is going to show us all of our different process and the remote addresses they are connecting to. Now you can see some of these are legitimate windows services. Once again make sure you have the resolve addresses checked over here. But ther can be some suspicious because they are not standard ip addresses that i would normally see on a system. But of course, if you're a new user, you may not know that. So how can you determine which of these are legitimate connections being made and which of these are suspicious. For starters, you can check if any network activity is supposed to be happening on your computer, so if you have, for example steam discord and all of that running you can try shutting down those applications that's gonna reduce some of the noise here and that way you're gonna be able to isolate if there's anything happening beyond what you expect. Once you've done that what you can do is, you can obviously copy the particular ip address and then look it up and see if it is associated with a legitimate service or you can just right click over here and click on whois and this is going to get the details for the domain name and who it's registered to. You can also get a complaint form here and report the threat actors. Once you have isolated the original sample, you can analyze it on a web platform like interzer or vars total. A big thank you to our sponsor synthesizer for setting up an enterprise account so we can do our threat investigations. As you can see this particular threat is an axiom rigged miner and it's got a 44 correlation with that. We check the first hole report we've got 53 detections. But i would remind you once again that this is not the first thing you will see when you look at a compromise system. So you may have a system with only legitimate looking processes that is totally malicious and by the way these crypto miners are very clever. So what they might do is when you open up something like task manager, they just drop all of their resource usage, so you don't see anything strange but when you go away in the background, the miner is going to start ramping up and taking up all of those cpu resources. Now if we look at the dynamic execution in the sandbox, here you can see that in memory it has the same behavior that we noticed in the virtual machine. So it launches svchost.exe which looks legitimate but it carries out its mining operations. We take a look at ttps, we've got process injection here use of process hollowing, this is a technique where attackers basically replace a legitimate system process and use it for their malicious activities. We've also got a crypto mining command which is what we also saw on the system. When we're looking at process explorer it's basically the same string and instruction set and we've also got an ip which leads to the netherlands. By the way, if you would like to conduct a similar threat investigation, you can set up a community account on analyze.insert.com and start using it for free.

Now back on our system, we can go ahead and terminate the process tree that is associated with the crypto miners. I don't want to keep making them more money but hopefully that demonstrates how malicious network activity can be spotted on your system. So once again going through the steps you want to open up something like tcp view, look at the remote addresses your system is connecting to and then try to resolve them and see if any of them don't add up or are not associated with any services that you use and once you do that you can isolate the process and take action against them. Make sure to report the ips as well. In the future we're going to focus on more in-depth analysis of different aspects of malware.