TrojanDownloader:O97M/Obfuse

Guidance for end users

• Do not open suspicious or irrelevant emails with links or attachments, as this could infect your device
• Ensure to download and install software from verified and legitimate sources

Take these steps to help prevent malware infection on your computer.

Guidance for enterprise administrators

Apply these mitigations to reduce the impact of this threat.  

• Turn on tamper protection features to prevent attackers from stopping security services.
• Turn on cloud-delivered protection and automatic sample submission on Microsoft Defender Antivirus. These capabilities use artificial intelligence and machine learning to quickly identify and stop new and unknown threats.
• Educate end users about protecting personal and business information in social media, filtering unsolicited communication, identifying lures in spear phishing email and watering holes, and reporting of reconnaissance attempts and other suspicious activity.
• Utilize the Microsoft Defender Firewall, intrusion prevention devices, and your network firewall to prevent RPC and SMB communication among endpoints whenever possible. This limits lateral movement as well as other attack activities.
• Enforce strong, randomized local administrator passwords. Use tools like LAPS.
• Encourage users to use Microsoft Edge and other web browsers that support SmartScreen, which identifies and blocks malicious websites, including phishing sites, scam sites, and sites that contain exploits and host malware. Turn on network protection to block connections to malicious domains and IP addresses.
• Check your Office 365 email filtering settings to ensure you block spoofed emails, spam, and emails with malware.
• Use Office 365 ATP for enhanced phishing protection and coverage against new threats and polymorphic variants.
• Configure Office 365 to recheck links on click and delete sent mail in response to newly acquired threat intelligence.
• Check your Office 365 antispam policy and your mail flow rules for allowed senders, domains and IP addresses. Apply extra caution when using these settings to bypass antispam filters, even if the allowed sender addresses are associated with trusted organizations—Office 365 will honor these settings and can let potentially harmful messages pass through.
• Review system overrides in threat explorer to determine why attack messages have reached recipient mailboxes.
• Turn on the following attack surface reduction rules to block or audit activities associated with this threat:
• Block executable files from running unless they meet a prevalence, age, or trusted list criterion
• Block credential stealing from the Windows local security authority subsystem (lsass.exe)
• Use advanced protection against ransomware
• Block process creations originating from PSExec and WMI commands