Canuel Caterers was started 27 years ago by two entrepreneurial brothers with the ambitions of starting up a company that would rival other large, multi-national food service providers in Canada. Canuel has 45+ school accounts combined in the Lower Mainland and the Interior of British Columbia in addition to multiple corporate accounts. Supported by a strong management, sales and operational team, they offer a variety of styles of service for lunch service in these facilities, including meal programs for schools. In addition to on-site concession, vending, and customized coffee programs, Canuel also provides onsite catering for groups of 10 to 1500 customers.
The Issue
Canuel Caterers is using an accounting system that produces electronic invoices and automatically emails their customers daily. Unbeknownst to anyone, there was an obfuscated JavaScript file residing in the AP clerk’s PC that was designed to download additional malware and/or adware. This script was injecting a malware URL into client facing invoices as they were being sent off. When the receiver opened the invoice, it would try to download the malicious software onto that recipient’s device. The script residing on the PC was not causing any damage to their computer or network and therefore never detectable by any anti-virus software.
How it was discovered
As part of its security umbrella, Revotech uses a product called Huntress. Huntress provides an underlying layer of detection and response that goes beyond any anti-virus and uses real humans to analyze patterns and behaviors. Huntress detected and reviewed the payload and determined the risk. They alerted Revotech through our PSA integration which created a ticket for further investigation. This was discovered through automation with daily scanning from the huntress agent.
Solution
In addition to reporting back to Revotech, Huntress also provided the exact details and location of the script files. Revotech’s engineers investigated the issue and used command line instruction to remove the script and registry keys from the system and task scheduler trigger on the PC.
Results
The PC was no longer injecting these URLs into invoices that downloaded malware onto the receivers PC. These invoices and the company Emails were no longer getting blocked by their customer’s email filtering tools or, and more importantly, not potentially causing any damage to their customers’ systems.