App Review Kaspersky Endpoint Security 11 vs CXK-NMSL ransomware

It is advised to take all reviews with a grain of salt. In extreme cases some reviews use dramatization for entertainment purposes.
blackice

blackice

Level 38
Verified
Top Poster
Well-known
Apr 1, 2019
2,776
Robbie said:
You always learn something new :) Although I will never admit I did not know that and I will deny every accusation of it.
Click to expand...
I’ve never known @Robbie to be wrong, now Roboman... :ROFLMAO:

I would say it would be nice if companies used consistent terminology between home and enterprise products, but the reality is most users of each don’t see the other. So, it doesn’t really matter for them. My biggest wish is that companies would document/explain modules better. I know they need their secret sauce, but understanding what a module actually does is sometimes hard to figure out.
 
  • Like
Reactions: Mercenary, roger_m, Outpost and 4 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,128
Andy Ful said:
My first thought was that the big batch file contained base64 encoded malware which was next decoded by using the command-line "certutil -decode" like in the below example:
BAT file based Ransomware targeting people in China – SonicWall
But, the ver. 3.3 did not use such a command-line, only "certutil -encode" was used. The video also suggests using only "certutil -encode" command-line.
Click to expand...
When I made a closer look at a code of this BAT, I found a few "certutil -decode" commands after many "certutil -encode" commands. Some files were hidden in the BAT file as an array of bytes, like for example the whole mp3 file. But, the files extracted/decoded from the malware were not related to encrypting files on disk. As @cruelsister noticed, the ransomware job was done by very simple code. The malware followed this path:
Loop (rename file ---> encode to another file by using "certutil -encode")
delete the renamed files
.... (some additional actions)
Delete traces
 
Last edited:
  • Like
  • +Reputation
Reactions: Solarquest, Mercenary, harlan4096 and 8 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,128
In the wild, the malicious BAT was wrapped in the EXE file which pretended to be an Excel document, so the BAT malware was not executed manually by the user. This means, that the malware could also bypass SysHardener protection for BAT files and some SRP configs based on Default Security Level = "Basic User" (the "Disallowed" setting will block it).
It is possible that Kaspersky's proactive protection could block the initial EXE, especially with tweaked Application Control.
 
  • Like
  • +Reputation
  • Wow
Reactions: simmerskool, Solarquest, bayasdev and 8 others

Similar threads

NB InfoTech
    • Like
App Review McAfee vs Ransomware | McAfee Total Protection Antivirus vs Ransomware | 2023 [TESTED]
Replies
2
Views
714
Video Reviews - Security and Privacy
nickstar1
nickstar1
NB InfoTech
    • Like
App Review Bitdefender vs Ransomware | Bitdefender Total Security Antivirus Review | 2023 [TESTED]
Replies
0
Views
555
Video Reviews - Security and Privacy
NB InfoTech
NB InfoTech
Shadowra
    • +Reputation
    • Like
    • Thanks
App Review DeepInstinct Endpoint Security v5
Replies
10
Views
629
Video Reviews - Security and Privacy
ShenguiTurmi
ShenguiTurmi

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top