Skip to main content
Skip to main content
Microsoft Security Intelligence
Cart 0 items in shopping cart
Sign in
Published Mar 23, 2021 | Updated Mar 24, 2021

Trojan:PowerShell/Redearps.A

Detected by Microsoft Defender Antivirus

Aliases: No associated aliases

Summary

Microsoft Defender Antivirus detects and removes this threat. 

This threat is a PowerShell script that downloads and distributes Ransom:Win64/Pydomer. Ransom:Win64/Pydomer is a ransomware payload dropped by human-operated ransomware campaigns taking advantage of Exchange Server vulnerabilities. 

Microsoft Defender Antivirus automatically removes threats as they are detected. However, many infections can leave remnant files and system changes. Take the following steps to help address these remnant artifacts:

  1. Apply the corresponding security updates for Exchange Server, including applicable fixes for CVE-2021-26855CVE-2021-26858CVE-2021-26857 and CVE-2021-27065. While it is important to prioritize patching of internet-facing Exchange servers to mitigate risk in an ordered manner, unpatched internal Exchange Server instances also suffer the same vulnerabilities.
  2. If you are unable to apply security updates to Exchange Server 2013, 2016, and 2019, apply the interim mitigations stated in the Microsoft Security Response Center (MSRC) blogpost Microsoft Exchange Server Vulnerabilities Mitigations — March 2021.
  3. Immediately isolate the affected device. If Trojan:PowerShell/Redearps.A or Ransom:Win64/Pydomer has been launched, then it is likely that the device is now under the attacker's complete control. 
  4. Identify the accounts that have been used on the affected device and consider these accounts compromised. Reset passwords or decommission the accounts. This will include mailbox accounts and service accounts associated with on-premises Exchange Servers if exploit activity related to compromise of those services also occurred.
  5. Investigate how the affected device might have been compromised. This malware often originates through phishing emails received that contain Office documents, ZIP files, or .JS files. The malware is also known to come from exploit of Microsoft Edge devices via vulnerabilities, brute force attacks, or other web downloads from other malware. The initial executable is often, but not always, from a compressed file.
  6. Investigate the device timeline for indications of lateral movement using one of the compromised accounts.
  7. Investigate any alerts related to Trojan:PowerShell/Redearps.A or Ransom:Win64/Pydomer.

 

Guidance for enterprise administrators   

  • Harden internet-facing assets and ensure they have the latest security updates. Use  threat and vulnerability management to audit these assets regularly for vulnerabilities, misconfigurations, and suspicious activity.
  • Remediate vulnerabilities or misconfigurations in web applications and web servers. 
  • Implement proper segmentation of your perimeter network, such that a compromised web server does not lead to the compromise of the enterprise network.
  • Secure Remote Desktop Gateway using solutions like Azure Multi-Factor Authentication (MFA). If you don’t have an MFA gateway, enable network-level authentication (NLA).
  • Enable antivirus protection on web servers. Turn on cloud-delivered protection to get the latest defenses against new and emerging threats. Users should only be able to upload files in directories that can be scanned by antivirus and configured to not allow server-side scripting or execution.
  • Utilize the Microsoft Defender Firewall and your network firewall to prevent RPC and SMB communication among endpoints whenever possible. This limits lateral movement as well as other attack activities.
  • Check your perimeter firewall and proxy to restrict unnecessary access to services, including access to services through non-standard ports.
  • Monitor for brute-force attempts. Check excessive failed authentication attempts (Windows security event ID 4625).
  • Turn on attack surface reduction rules, including rules that block ransomware activity and other activities associated with human adversaries. To assess the impact of these rules, deploy them in audit mode.
  • Turn on tamper protection features to prevent attackers from stopping security services.
  • Use Microsoft Defender for Office 365 for enhanced protection and coverage against new multi-faceted threats and polymorphic variants. Microsoft 365 Defender correlates threat data from endpoints, email and data, identities, and apps to coordinate cross-domain protection.
  • Educate end users about protecting personal and business information in social media, filtering unsolicited communication, identifying lures in spear-phishing email and watering holes, and reporting of reconnaissance attempts and other suspicious activity. 
  • Practice good credential hygiene. Limit the use of accounts with local or domain admin level privileges.

You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.

Follow us