Trojan:Win32/NativeZone!mclg

Guidance for end users  

For more tips on how to keep your device safe, visit the Microsoft security help & learning portal.

Read more about guarding against supply chain attacks for information on staying safe from this type of threat.

To learn more about preventing trojans or other malware from affecting individual devices, read about preventing malware infection.

Guidance for enterprise administrators 

Apply these mitigations to reduce the impact of this threat. Check the recommendations card for the deployment status of monitored mitigations. 

Initial access 

• Educate end users about protecting personal and business information in social media, filtering unsolicited communication, identifying lures in spear-phishing email and watering holes, and reporting of reconnaissance attempts and other suspicious activity. 
• Encourage users to use Microsoft Edge and other web browsers that support SmartScreen, which identifies and blocks malicious websites, including phishing sites, scam sites, and sites that contain exploits and host malware. Turn on network protection to block connections to malicious domains and IP addresses. 

Security controls 

• Turn on cloud-delivered protection and automatic sample submission on Microsoft Defender Antivirus. These capabilities use artificial intelligence and machine learning to quickly identify and stop new and unknown threats. 
• Turn on attack surface reduction rules, including rules that block malware activity and other activities associated with human adversaries. To assess the impact of these rules, deploy them in audit mode.
• Use Microsoft Defender for Office 365 for enhanced phishing protection and coverage against new threats and polymorphic variants. Defender for Office 365 customers should ensure that  Safe Links protection is turned on for users with Zero-hour Auto Purge (ZAP) to remove emails when a URL gets weaponized post-delivery.  
• Turn on tamper protection features to prevent threat actors from stopping security services. 
• Ensure internet-facing assets have the latest security updates. Audit these assets regularly for suspicious activity. 
• Secure internet-facing Remote Desktop Protocol (RDP) services behind a multifactor authentication (MFA) gateway. If you do not have an MFA gateway, allow network-level authentication (NLA) and ensure that server devices have strong, randomized local administrator passwords. 
• Follow standard guidance for macro security in the security baselines for Office and office 365 and the Windows security baselines. 
• Use the Microsoft Defender Firewall and your network firewall to prevent remote procedure call (RPC) and server message block (SMB) communication among endpoints whenever possible. This limits lateral movement and other attack activities. 

Credential hygiene 

• Practice the principle of least-privilege and maintain credential hygiene. Avoid the use of domain-wide, administrator-level service accounts. Restricting local administrative privileges can help limit installation of RATs and other unwanted applications. 

Impact 

• Keep backups so you can recover data affected by trojan malware and destructive attacks. Use controlled folder access to prevent unauthorized applications from modifying protected files. 

Improve your security posture against supply chain attacks

• Software developers and publishers are advised to maintain secure build and update infrastructure and to establish a response process for supply chain attacks. Software updates should always be delivered using SSL connections and signed components.
• Conduct an inventory of your software suppliers. Do your due diligence to confirm there are no red flags. The NIST Cyber Supply Chain Best Practices provide sample questions that you can use to screen your software suppliers, such as what malware protection and detection are performed and what access controls—both cyber and physical—are in place.
• Set a high standard of software assurance with partners and suppliers. Governmental organizations such as the Department of Homeland Security, SAFECode, the OWASP SAMM, and the U.K. National Cyber Security Centre’s Commercial Product Assurance (CPA) provide a model. You can also refer to Microsoft’s secure development lifecycle (SDL). The SDL defines 12 best practices that Microsoft developers and partners utilize to reduce vulnerabilities. Use SDL to guide a software assurance program for your engineers, partners, and suppliers.