If vendors spent less on marketing and more on capability, our job would be a lot harder

Cryptominers, keyloggers, and exploit kits. This is just a small sample of the malware we discovered in the environment of a financial services firm during a recent Proof of Concept. 

The client (our PoC was successful) had been using a ‘next-gen’ end-point protection solution, so was naturally confident it was protected… it didn’t take long to shatter this illusion. 

Valyria, Ursnif, Spector, and Redkit were just some of malware variants we found on the system in various locations. Not only had all these attacks bypassed the firm’s external defenses, but its end-point protection solution had completely failed to protect its end-points.

During the course of our PoCs, we compare our service against some of the world’s largest vendors – Cylance, Symantec, Palo Alto, Microsoft, McAfee, Crowdstrike Falcon and Clamav.   

We do this because we know the marketing dollars behind some of these firms is something we could never hope (nor want) to compete against. 

Where we do know we can compete, is where it actually matters – in the trenches, in our technical capability and expertise.  

During this particular four-month PoC, we found nine infections that had been successful (as well as stopping numerous attempted attacks). 

Below, we’ve listed each of the pieces of malware we discovered, the vendors that missed them, and the hashes for security analysts to update their defenses. 

If vendors spent less money on marketing, and more on their technical capability, maybe the list would be shorter… it would mean our PoCs wouldn’t be as effective, but it would also mean enterprises received the protection they paid for. 


Date Discovered File Location Hash (md5) Missed
11-17-2017 C:\ProgramData\AppCache\15\ db66c0c457a93cb5edee3be08fe8482e clamav; crowdstrike falcon, palo alto
11-17-2017 C:\ProgramData\AppCache\14\ 2e3ef3fb0446bd89dc3fa5654561abfa clamav, crowdstrike falcon, palo alto
11-20-2017 C:\ProgramData\UpdateService\UpdateService.exe 7fc2305f251e97a3481377626bd43589 clamav
11-30-2017 C:\Program Files (x86)\AskPartnerNetwork\Toolbar\Updater e2adbb633978703d346c137e367dea3e crowdstrike falcon, cylance, palo alto, symantec, TrendMicro
11-30-2017 http:\/\/cdntc[.]advancedmaccleaner[.]com/amc/update/helperamc.zip.
 67.219.149.66
5bafb135e1d7ba0a5acd0fbbeb2a93e1 kapersky, microsoft, cylance, crowdstrike, etc.
12-06-2017 E:\Tools\PwDump7.exe d1337b9e8bac0ee285492b89f895cadb palo alto
12-09-2017 “Pending - World Company Registry 2018-2019 [REF:DRE-10336]” with attachment “wbl-F18.pdf” 390cbdc7622c8feb24615fe26d6ec00b cylance, crowdstrike, trendmicro, symantect, palo alto, microsoft, etc
12-09-2017 armmasnmcznxqieqqty[.]com (86.121.20.39:80) 6f0d2954ac01e40f78b858ae8538f622 4751f5e3b35e143a71c996fab767fd94 cylance, crowdstrike, kapersky

01-10-2018

C:\Users\actadmin\AppData\Roaming\UPDATE~1\UPDATE~1\UPDATE~1.EXE

1819d2f1cef27c3ea9043805c32a67b6 cylance, palo alto, microsoft
01-11-2018 C:\Windows\winexesvc.exe 1dadc5a0c5ccf09a973293f9c8fa5565 cylance, palo alto, microsoft, crowdstrike falcon, symantec, clamav, mcafee, TrendMicro
02-06-2018 C:\Windows\winipbin\svrltwp.dll 6c9d5bcf352bce26aeb44bfed8f9e837 cylance, crowdstrike, carbon black, symantec, mcafee, etc.
03-06-2018 C:\Users\Admin\Appdata\Local\Temp\Invoice\#0516242 cf1e813a23ffad3773519915c116d49c cylance, crowdstrike, mcafee, etc
03-07-2018 LMNTRIX LABS Finding - https://lmntrix.com/Lab/Lab_info.php?id=102 ec917948471862504b19b643eb6e5e1f crowdstrike, palo, eset-nod32
03-13-2018 C:\kworking\kf54816.exe e9e0448d44e3f6836a68e619c95d0460 crowdstrike, microsoft, symantec, TrendMicro
03-22-2018 anx.mindspark.com (74.113.233.192) 8e722dfde28bdfc6b2c15e4152d64ec5 Cylance, McAfee, Microsoft, Palo Alto, TrendMicro
03-22-2018 dp.tb.ask.com (74.113.235.138) 38092dffe8d4147e06ae9c8296a733ab Cylance, McAfee, Microsoft, Palo Alto, TrendMicro
04-06-2018 http://download.driverupdate.net/5.5.0/x64/DriverUpdate-setup.exe 6f3040136fcdc1d4082990958df32a5c Cylance, Crowdstrike, Symantec, BitDefender, TrendMicro, Palo Alto, Sophos
04-06-2018 C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE\4P8HTX0P\
TransitSimplified.e9d0cbf2698f4cfc8b2a925b206ac3e6.exe
97c128587b1c857867516a448d2fff76 Cylance, Palo Alto, Symantec, TrendMicro, McAfee
04-06-2018 Exchange  35c95218de2662011c234198dc12b7fb Crowdstrike, Cylance, Microsoft, Sophos, BitDefender
04-27-2018 Exchange  a25c43b6adb93fcaa5f192cf2fbfd0a2 Crowdstrike, Cylance, Palo Alto, Symantec, TrendMicro, etc.
05-03-2018 C:\Users\DEBRAE~1.CSP\AppData\Local\Temp\nsaB515.tmp\nsDialogs.dll 069a101bebdfb14e86993cf75b84daae Crowdstrike, Cylance, Palo Alto, TrendMicro, etc.
05-14-2018 pupdate.exe 0c501ef71d3a3d27e9e24b5d26da1055 Crowdstrike, Cylance, Palo Alto, TrendMicro, BitDefender, Symantec
05-16-2018 C:\Users\%user%\AppData\Local\Microsoft\Windows\INetCache\IE\C6Q9D2W1\
MyTransitPlanner.014a5ab5662c4d1cb4e1e8f3a04d4deb.exe
18030b77a3d83be0904324d2b8ccc8b5 Cylance, Palo Alto, McAfee, Symantec,Crowdstrike, TrendMicro 
05-22-2018 C:\Users\%user%\AppData\Local\Microsoft\Windows\INetCache\IE\SIG7SW7Z\
onlineroutefinder.0f77d170234641e78a719e8d084949c3.exe
ce06e3a4d2a62043778c0e3d5e8aa4ab Crowdstrike, Palo Alto, McAfee,Symantec, TrendMicro,Cylance
06-05-2018 C:\Users\%user%\AppData\Local\Microsoft\Windows\INetCache\IE\HX3P80ST\
YourTemplateFinder.4d34e29d850e4e01942f5bd40735d7dd.exe
8fc2863ca41ffa67aa59b2ffe053d7e0 Cylance, Palo Alto, BitDefender, Symantec, ClamAV, Cybereason
06-05-2018 C:\Users\%user%\AppData\Local\Microsoft\Windows\INetCache\IE\YK7SSNOO\
PasswordLogic.45180c2a5bde4efa999bd0a25ce6d965.exe
bafcdd571828c35c9aa63b10038e104e Cylance, Palo Alto, BitDefender, TrendMicro, Sophos
06-12-2018 http://swms.505web.com/wp-content/uploads/GalleryPhotos/racing-in-new-mexico-300x200.jpg 9b8fdc6a3d8e7fa06c89dbebff078a1c Crowdstrike, BitDefender, TrendMicro, Symantec, Cybereason
06-12-2018 C:\Users\%user%\AppData\Local\Microsoft\Windows\INetCache\IE\QKHM34PO\
PDFConverterHQ.fcf715bf0e1a4a718c81d64bfb2bfda3.exe
ffd95187e3eba87391a52156e88baa01 Cylance, Symantec, TrendMicro, Palo Alto, Cybereason
07-10-2018 URL: http://ak[.]imgfarm[.]com/ b417bc52fcf3de63f53aff0d56be27ae Cylance, Palo Alto, McAfee, TrendMicro, Symantec, Cybereason
07-12-2018 C:\Users\%user%\AppData\Local\Microsoft\Windows\INetCache\
IE\9R6LWJJS\FlightSearch.19e56bdac5ad4cb9b0b8f76c0cf559f0.exe
a1e9e35c35ed7cd8acc17f732be349b2 Cylance,Symantec, TrendMicro, Cybereason
07-31-2018 C:\Users\%User%\AppData\Local\Temp\TMP882~1\duguse.exe 6f474a9d994030159f308255dcde56c4 Cylance, MalwareBytes
08-01-2018 http[:]//wcdownloadercdn[.]Lavasoft[.]com/4.3.1908.3686/WcInstaller.exe?X-OpenDNS-Session=_ac5107060d19c042a70b9f50a7f98b40646a9270f749_8c529ddf_ 093a2ab652ca9de0751399c98be37eb5 Crowdstrike, Cylance, BitDefender, MalwareBytes, McAfee, Palo Alto, Symantec, TrendMicro, Cybereason
08-03-2018 http[:]//mirrors[.]ocf[.]Berkeley[.]edu/kali/pool/main/m/mimikatz/mimikatz_2.1.1-20180616-0kali1_all.deb c9824353fadb6ff2900bf48b345acf14 MalwareBytes, McAfee, TrendMicro, Crowdstrike, Cylance, Palo Alto, Cybereason
08-08-2018 34.209.102.204 (ec2-34-209-102-204.us-west-2.compute.amazonaws.com) ff818f114588b2f94ba60515e2f6f258 Cylance, Symantec, TrendMicro, Palo Alto, Cybereason
08-15-2018 hxxp://www[.]springdwnld2[.]com/download/?
IP address: 50.63.202.14 [ Botnet Command &   Control server]
0d83a645018d9c2cd6ad9d00ff721636 BitDefender, Cylance, Eset-Nod32, MalwareBytes,McAfee, Palo Alto, Symantec, TrendMicro, Cybereason
08-20-2018 C:\Users\%User%\Downloads\SetupImgBurn_2.5.8.0.exe 0b4c94f8480f8cd13e160bceaaaa8b29 BitDefender, Crowdstrike, MalwareBytes, McAfee, Palo Alto
08-21-2018 http[:]//amazon-sudan.com[/]671846A/identity/Personal/
144.76.73.24
92376b6e376b48dac3a28fb4d464ac92 MalwareBytes, Cylance, Crowdstrike, Palo Alto, Cybereason
08-29-2018 C:\Users\%User%\AppData\Local\Yahoo\yset\webExt_DL.exe f57fbb2d7e78805d40e0e85a4325141d Crowdstrike, BitDefender, MalwareBytes, Kaspersky, McAfee, Symantec, Cybereason
09-06-2018 C:\Users\%User%\AppData\Local\Programs\CouponViewer\Add-On\2017.4.7.1\CVHP.exe 6af5d425afc8ed742e1c2e6b835ca96b BitDefender, Crowdstrike, McAfee, Palo Alto, TrendMicro, Cybereason

So, if you’re worried the security solution you bought isn’t living up to its marketing hype, please get in touch with us at info@lmntrix.com


On 2018-03-22

Privacy Statement | Terms of Use