Remote detection of a trojan - how can it be done?
In this blog post CyberCube claim:
CyberCube observed a malware infection on Colonial Pipeline’s network named “trojan.win32.razy.gen”
I'm really curious to know how this could be done from outside Colonial's network. I'm asking in general using this case as an example - please don't post any proprietary information
The article doesn't say how that malware was detected, but from the other parts of the article, they used external traffic analysis to come to their other conclusions.
A search for
trojan.win32.razy.genshows that it is a malicious browser extension that redirects browser traffic in very specific ways.
So, from these clues, it would be reasonable to conclude that they could have seen this malware's traffic externally.