Trojan:O97M/Donoff

Guidance for end users

For more tips on how to keep your device safe, go to the Microsoft security help & learning portal.

To learn more about preventing trojans or other malware from affecting individual devices, read about preventing malware infection.

Guidance for enterprise administrators

Apply these mitigations to reduce the impact of this threat. Check the recommendations card for the deployment status of monitored mitigations.

Initial access

• Educate end users about protecting personal and business information in social media, filtering unsolicited communication, identifying lures in spear-phishing email and watering holes, and reporting of reconnaissance attempts and other suspicious activity.
• Encourage users to use Microsoft Edge and other web browsers that support SmartScreen, which identifies and blocks malicious websites, including phishing sites, scam sites, and sites that contain exploits and host malware. Turn on network protection to block connections to malicious domains and IP addresses.

Security controls

• Turn on cloud-delivered protection and automatic sample submission on Microsoft Defender Antivirus. These capabilities use artificial intelligence and machine learning to quickly identify and stop new and unknown threats.
• Turn on attack surface reduction rules, including rules that block malware activity and other activities associated with human adversaries. To assess the impact of these rules, deploy them in audit mode. The following rules help to block or audit activity associated with this threat:
• Use Microsoft Defender for Office 365 for enhanced phishing protection and coverage against new threats and polymorphic variants. Defender for Office 365 customers should ensure that  Safe Links protection and Safe Attachments are enabled for users with Zero-hour Auto Purge (ZAP) to remove emails when a URL gets weaponized post-delivery. 
• Turn on tamper protection features to prevent attackers from stopping security services.
• Ensure internet-facing assets have the latest security updates. Audit these assets regularly for suspicious activity.
• Secure internet-facing RDP services behind a multi-factor authentication (MFA) gateway. If you don't have an MFA gateway, enable network-level authentication (NLA) and ensure that server machines have strong, randomized local admin passwords.
• Follow standard guidance for macro security in the security baselines for Office and office 365 and the Windows security baselines.
• Use the Microsoft Defender Firewall and your network firewall to prevent RPC and SMB communication among endpoints whenever possible. This limits lateral movement as well as other attack activities.

• Block all Office applications from creating child processes
• Block Office applications from creating executable content
• Block executable files from running unless they meet a prevalence, age, or trusted list criterion

Credential hygiene

• Practice the principle of least-privilege and maintain credential hygiene. Avoid the use of domain-wide, admin-level service accounts. Restricting local administrative privileges can help limit installation of RATs and other unwanted applications.

Impact

• Keep backups so you can recover data affected by trojan malware and destructive attacks. Use controlled folder access to prevent unauthorized applications from modifying protected files.