App Review Kaspersky Endpoint Security 11 vs CXK-NMSL ransomware

It is advised to take all reviews with a grain of salt. In extreme cases some reviews use dramatization for entertainment purposes.
Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,511
It seems that this malware is generally similar to the CXK-NMSL ver. 3.3:
app.any.run

Analysis 2020.1.10-2020.1.23Information on Travelers from Wuhan China to India.zip (MD5: F94D84DA27BD095FDEAF08ED4F7D8C9A) Malicious activity - Interactive analysis ANY.RUN

Interactive malware hunting service. Live testing of most type of threats in any environments. No installation and no waiting necessary.
app.any.run app.any.run
The attack uses the batch file and some LOLBins (certutil.exe, choice.exe, wscript.exe, rundll32.exe) to avoid detection.
 
  • Like
  • +Reputation
Reactions: Mercenary, roger_m, fabiobr and 11 others
harlan4096

harlan4096

Super Moderator
Verified
Staff Member
Malware Hunter
Well-known
Apr 28, 2015
8,910
As I always say in these cases, probably a tweaked Application Control would not compromise the system... all those tools used to encrypt the system are legit (system LOLBins) hehe...

www.f5.com

Old Dog, New Targets: Switching to Windows to Mine Electroneum

Apache Struts 2 Jakarta Multipart Parser RCE crypto-mining campaign is now targeting Windows, not just Linux systems.
www.f5.com www.f5.com
 
Last edited:
  • Like
Reactions: Mercenary, roger_m, simmerskool and 10 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,511
harlan4096 said:
As I always say in these cases, probably a tweaked Application Control would not compromise the system...
Click to expand...
It would be interesting to test this on MH. If one does not use Trusted Application Mode (can detect batch files), then many setups based on Application Control tweaks can be insufficient. Probably, one has to add cmd.exe and certutil.exe to the untrusted group. Adding cmd to the untrusted group can produce software incompatibilities. :unsure:
But, I may be wrong (I do not use KIS for some years).
 
Last edited:
  • Like
  • +Reputation
Reactions: bayasdev, Mercenary, roger_m and 12 others
blackice

blackice

Level 39
Verified
Top Poster
Well-known
Apr 1, 2019
2,868
Protected folders/Controlled folder access should work in these cases? I guess unless one of these legit processes has already been granted access... Obviously Kaspersky has their own methods, application control.
 
Last edited:
  • Like
Reactions: Mercenary, fabiobr, simmerskool and 7 others
harlan4096

harlan4096

Super Moderator
Verified
Staff Member
Malware Hunter
Well-known
Apr 28, 2015
8,910
Protected folders can be also implemented in Kaspersky products (Application Control -> Manager Resources), although it is not so easy than WD or others products just enabling and adding apps... but Kaspersky way is more customizable and You can assign rights for different opeations over the files, folders, registry keys...

@Andy Ful: that variant of your link is already detected by Kaspersky, but probably the video one is a variant still not detected or it was recorded when still not detected...

I think TAM is not necessary to also stop .bat files attacks -> System Watcher can do it also...
 
  • Like
  • Thanks
Reactions: Mercenary, roger_m, fabiobr and 11 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,511
harlan4096 said:
...
@Andy Ful: that variant of your link is already detected by Kaspersky, but probably the video one is a variant still not detected or it was recorded when still not detected...
...
Click to expand...
Yes, this is the new version 4.0 - did not found the analysis yet. But, the method is similar to ver. 3.3. Do you have any idea why the batch file from version 4.0 was not blocked by System Watcher?
 
  • Like
Reactions: Mercenary, Solarquest, simmerskool and 8 others
harlan4096

harlan4096

Super Moderator
Verified
Staff Member
Malware Hunter
Well-known
Apr 28, 2015
8,910
Probably they used certutil.exe to download an encrypted malware, as explained in my previous post link... don't know :unsure:

Also those additional LOLBins used by the malware are trusted in Application Control and KSN by default, so...

I see Symantec EndPoint also failed :unsure:
 
  • Like
  • +Reputation
Reactions: Mercenary, roger_m, fabiobr and 10 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,511
The previous version used an oversized batch file (7.10 Mb) which probably contained the malware. So, the crucial thing would be to block this batch file. The certutil.exe was used to encrypt files (via "certutil -encode" command-line) with legal certificates (*.der files).
 
  • Like
  • +Reputation
Reactions: Mercenary, roger_m, Solarquest and 6 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,511
My first thought was that the big batch file contained base64 encoded malware which was next decoded by using the command-line "certutil -decode" like in the below example:
BAT file based Ransomware targeting people in China – SonicWall
But, the ver. 3.3 did not use such a command-line, only "certutil -encode" was used. The video also suggests using only "certutil -encode" command-line.
 
Last edited:
  • Like
Reactions: Mercenary, roger_m, Protomartyr and 4 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,511
CXK-NMSL.png
 
  • Like
Reactions: simmerskool, harlan4096, stefanos and 1 other person
M

MacDefender

Level 16
Verified
Top Poster
Oct 13, 2019
784
cruelsister said:
It is really nothing but a batch file (built around certutil with an encode verb) with a vbs tweak for show.
Click to expand...

Hah, I guess it's starting to gain a little popularity.... I picked 7z for my fake malware but that's my lack of creativity. Using certutil is kind of cute.

On Linux/macOS, it's really common these days that either python or the openssl command is used to achieve either de-obfuscation or outright cryptoransom.

This is going to be a new area of challenge for behavior blockers / dynamic protection to understand. Combined with the ability to obfuscate scripts themselves, IMO this has to be handled by dynamic protection, not just some sort of static scanner or even a fancy signature scanner.... Looking forward to see what vendors come up with!
 
  • Like
Reactions: Mercenary, simmerskool, harlan4096 and 7 others
fabiobr

fabiobr

Level 12
Verified
Top Poster
Well-known
Mar 28, 2019
569
harlan4096 said:
Protected folders can be also implemented in Kaspersky products (Application Control -> Manager Resources), although it is not so easy than WD or others products just enabling and adding apps... but Kaspersky way is more customizable and You can assign rights for different opeations over the files, folders, registry keys...

@Andy Ful: that variant of your link is already detected by Kaspersky, but probably the video one is a variant still not detected or it was recorded when still not detected...

I think TAM is not necessary to also stop .bat files attacks -> System Watcher can do it also...
Click to expand...
BitDefender protected folders/ATP is enough?

Can someone test it?
 
  • Like
Reactions: Mercenary, simmerskool, harlan4096 and 3 others

Similar threads

NB InfoTech
    • Like
App Review Want to try? | Comodo Antivirus Test & Review | Comodo Internet Security vs Ransomware | 2024
Replies
4
Views
405
Video Reviews - Security and Privacy
bazang
bazang
NB InfoTech
    • Like
App Review Trend Micro Maximum Security Antivirus Review | Trend Micro vs Ransomware Test | [TESTED]
Replies
1
Views
733
Video Reviews - Security and Privacy
Bot
Bot
NB InfoTech
    • Like
App Review PC Matic Home Review | PC Matic Home Security Antivirus vs Ransomware | 2024
Replies
4
Views
748
Video Reviews - Security and Privacy
Dave Russo
Dave Russo

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top