App Review Kaspersky Endpoint Security 11 vs CXK-NMSL ransomware

It is advised to take all reviews with a grain of salt. In extreme cases some reviews use dramatization for entertainment purposes.

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
It seems that this malware is generally similar to the CXK-NMSL ver. 3.3:
The attack uses the batch file and some LOLBins (certutil.exe, choice.exe, wscript.exe, rundll32.exe) to avoid detection.
 

harlan4096

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Apr 28, 2015
8,635
As I always say in these cases, probably a tweaked Application Control would not compromise the system... all those tools used to encrypt the system are legit (system LOLBins) hehe...

 
Last edited:

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
As I always say in these cases, probably a tweaked Application Control would not compromise the system...
It would be interesting to test this on MH. If one does not use Trusted Application Mode (can detect batch files), then many setups based on Application Control tweaks can be insufficient. Probably, one has to add cmd.exe and certutil.exe to the untrusted group. Adding cmd to the untrusted group can produce software incompatibilities. :unsure:
But, I may be wrong (I do not use KIS for some years).
 
Last edited:

blackice

Level 38
Verified
Top Poster
Well-known
Apr 1, 2019
2,731
Protected folders/Controlled folder access should work in these cases? I guess unless one of these legit processes has already been granted access... Obviously Kaspersky has their own methods, application control.
 
Last edited:

harlan4096

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Apr 28, 2015
8,635
Protected folders can be also implemented in Kaspersky products (Application Control -> Manager Resources), although it is not so easy than WD or others products just enabling and adding apps... but Kaspersky way is more customizable and You can assign rights for different opeations over the files, folders, registry keys...

@Andy Ful: that variant of your link is already detected by Kaspersky, but probably the video one is a variant still not detected or it was recorded when still not detected...

I think TAM is not necessary to also stop .bat files attacks -> System Watcher can do it also...
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
...
@Andy Ful: that variant of your link is already detected by Kaspersky, but probably the video one is a variant still not detected or it was recorded when still not detected...
...
Yes, this is the new version 4.0 - did not found the analysis yet. But, the method is similar to ver. 3.3. Do you have any idea why the batch file from version 4.0 was not blocked by System Watcher?
 

harlan4096

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Apr 28, 2015
8,635
Probably they used certutil.exe to download an encrypted malware, as explained in my previous post link... don't know :unsure:

Also those additional LOLBins used by the malware are trusted in Application Control and KSN by default, so...

I see Symantec EndPoint also failed :unsure:
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
The previous version used an oversized batch file (7.10 Mb) which probably contained the malware. So, the crucial thing would be to block this batch file. The certutil.exe was used to encrypt files (via "certutil -encode" command-line) with legal certificates (*.der files).
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
My first thought was that the big batch file contained base64 encoded malware which was next decoded by using the command-line "certutil -decode" like in the below example:
BAT file based Ransomware targeting people in China – SonicWall
But, the ver. 3.3 did not use such a command-line, only "certutil -encode" was used. The video also suggests using only "certutil -encode" command-line.
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
CXK-NMSL.png
 

MacDefender

Level 16
Verified
Top Poster
Oct 13, 2019
779
It is really nothing but a batch file (built around certutil with an encode verb) with a vbs tweak for show.

Hah, I guess it's starting to gain a little popularity.... I picked 7z for my fake malware but that's my lack of creativity. Using certutil is kind of cute.

On Linux/macOS, it's really common these days that either python or the openssl command is used to achieve either de-obfuscation or outright cryptoransom.

This is going to be a new area of challenge for behavior blockers / dynamic protection to understand. Combined with the ability to obfuscate scripts themselves, IMO this has to be handled by dynamic protection, not just some sort of static scanner or even a fancy signature scanner.... Looking forward to see what vendors come up with!
 

fabiobr

Level 12
Verified
Top Poster
Well-known
Mar 28, 2019
561
Protected folders can be also implemented in Kaspersky products (Application Control -> Manager Resources), although it is not so easy than WD or others products just enabling and adding apps... but Kaspersky way is more customizable and You can assign rights for different opeations over the files, folders, registry keys...

@Andy Ful: that variant of your link is already detected by Kaspersky, but probably the video one is a variant still not detected or it was recorded when still not detected...

I think TAM is not necessary to also stop .bat files attacks -> System Watcher can do it also...
BitDefender protected folders/ATP is enough?

Can someone test it?
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top