App Review Kaspersky Endpoint Security 11 vs CXK-NMSL ransomware

It is advised to take all reviews with a grain of salt. In extreme cases some reviews use dramatization for entertainment purposes.
blackice

blackice

Level 39
Verified
Top Poster
Well-known
Apr 1, 2019
2,868
Robbie said:
You always learn something new :) Although I will never admit I did not know that and I will deny every accusation of it.
Click to expand...
I’ve never known @Robbie to be wrong, now Roboman... :ROFLMAO:

I would say it would be nice if companies used consistent terminology between home and enterprise products, but the reality is most users of each don’t see the other. So, it doesn’t really matter for them. My biggest wish is that companies would document/explain modules better. I know they need their secret sauce, but understanding what a module actually does is sometimes hard to figure out.
 
  • Like
Reactions: Mercenary, roger_m, Outpost and 4 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,511
Andy Ful said:
My first thought was that the big batch file contained base64 encoded malware which was next decoded by using the command-line "certutil -decode" like in the below example:
BAT file based Ransomware targeting people in China – SonicWall
But, the ver. 3.3 did not use such a command-line, only "certutil -encode" was used. The video also suggests using only "certutil -encode" command-line.
Click to expand...
When I made a closer look at a code of this BAT, I found a few "certutil -decode" commands after many "certutil -encode" commands. Some files were hidden in the BAT file as an array of bytes, like for example the whole mp3 file. But, the files extracted/decoded from the malware were not related to encrypting files on disk. As @cruelsister noticed, the ransomware job was done by very simple code. The malware followed this path:
Loop (rename file ---> encode to another file by using "certutil -encode")
delete the renamed files
.... (some additional actions)
Delete traces
 
Last edited:
  • Like
  • +Reputation
Reactions: Solarquest, Mercenary, harlan4096 and 8 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,511
In the wild, the malicious BAT was wrapped in the EXE file which pretended to be an Excel document, so the BAT malware was not executed manually by the user. This means, that the malware could also bypass SysHardener protection for BAT files and some SRP configs based on Default Security Level = "Basic User" (the "Disallowed" setting will block it).
It is possible that Kaspersky's proactive protection could block the initial EXE, especially with tweaked Application Control.
 
  • Like
  • +Reputation
  • Wow
Reactions: simmerskool, Solarquest, bayasdev and 8 others

Similar threads

NB InfoTech
    • Like
App Review Want to try? | Comodo Antivirus Test & Review | Comodo Internet Security vs Ransomware | 2024
Replies
4
Views
405
Video Reviews - Security and Privacy
bazang
bazang
NB InfoTech
    • Like
App Review Trend Micro Maximum Security Antivirus Review | Trend Micro vs Ransomware Test | [TESTED]
Replies
1
Views
733
Video Reviews - Security and Privacy
Bot
Bot
NB InfoTech
    • Like
App Review PC Matic Home Review | PC Matic Home Security Antivirus vs Ransomware | 2024
Replies
4
Views
748
Video Reviews - Security and Privacy
Dave Russo
Dave Russo

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top