Cryptominers, keyloggers, and exploit kits. This is just a small sample of the malware we discovered in the environment of a financial services firm during a recent Proof of Concept.
The client (our PoC was successful) had been using a ‘next-gen’ end-point protection solution, so was naturally confident it was protected… it didn’t take long to shatter this illusion.
Valyria, Ursnif, Spector, and Redkit were just some of malware variants we found on the system in various locations. Not only had all these attacks bypassed the firm’s external defenses, but its end-point protection solution had completely failed to protect its end-points.
During the course of our PoCs, we compare our service against some of the world’s largest vendors – Cylance, Symantec, Palo Alto Netorks,, Microsoft, McAfee, Crowdstrike Falcon, Trend Micro, Cyberreason, Sophos, MalwareBytes, BitDefender, and Clamav.
We do this because we know the marketing dollars behind some of these firms is something we could never hope (nor want) to compete against.
Where we do know we can compete, is where it actually matters – in the trenches, in our technical capability and expertise.
During this particular four-month PoC, we found nine infections that had been successful (as well as stopping numerous attempted attacks).
Below, we’ve listed each of the pieces of malware we discovered, the vendors that missed them, and the hashes for security analysts to update their defenses.
If vendors spent less money on marketing, and more on their technical capability, maybe the list would be shorter… it would mean our PoCs wouldn’t be as effective, but it would also mean enterprises received the protection they paid for.
| Date Discovered | File Location | Hash (md5) | Missed |
| 11-17-2017 | C:\ProgramData\AppCache\15\ | db66c0c457a93cb5edee3be08fe8482e | clamav; crowdstrike falcon, palo alto |
| 11-17-2017 | C:\ProgramData\AppCache\14\ | 2e3ef3fb0446bd89dc3fa5654561abfa | clamav, crowdstrike falcon, palo alto |
| 11-20-2017 | C:\ProgramData\UpdateService\UpdateService.exe | 7fc2305f251e97a3481377626bd43589 | clamav |
| 11-30-2017 | C:\Program Files (x86)\AskPartnerNetwork\Toolbar\Updater | e2adbb633978703d346c137e367dea3e | crowdstrike falcon, cylance, palo alto, symantec, TrendMicro |
| 11-30-2017 | http:\/\/cdntc[.]advancedmaccleaner[.]com/amc/update/helperamc.zip. 67.219.149.66 | 5bafb135e1d7ba0a5acd0fbbeb2a93e1 | kapersky, microsoft, cylance, crowdstrike, etc. |
| 12-06-2017 | E:\Tools\PwDump7.exe | d1337b9e8bac0ee285492b89f895cadb | palo alto |
| 12-09-2017 | “Pending – World Company Registry 2018-2019 [REF:DRE-10336]” with attachment “wbl-F18.pdf” | 390cbdc7622c8feb24615fe26d6ec00b | cylance, crowdstrike, trendmicro, symantect, palo alto, microsoft, etc |
| 12-09-2017 | armmasnmcznxqieqqty[.]com (86.121.20.39:80) | 6f0d2954ac01e40f78b858ae8538f622 4751f5e3b35e143a71c996fab767fd94 | cylance, crowdstrike, kapersky |
| 01-10-2018 | C:\Users\actadmin\AppData\Roaming\UPDATE~1\UPDATE~1\UPDATE~1.EXE | 1819d2f1cef27c3ea9043805c32a67b6 | cylance, palo alto, microsoft |
| 01-11-2018 | C:\Windows\winexesvc.exe | 1dadc5a0c5ccf09a973293f9c8fa5565 | cylance, palo alto, microsoft, crowdstrike falcon, symantec, clamav, mcafee, TrendMicro |
| 02-06-2018 | C:\Windows\winipbin\svrltwp.dll | 6c9d5bcf352bce26aeb44bfed8f9e837 | cylance, crowdstrike, carbon black, symantec, mcafee, etc. |
| 03-06-2018 | C:\Users\Admin\Appdata\Local\Temp\Invoice\#0516242 | cf1e813a23ffad3773519915c116d49c | cylance, crowdstrike, mcafee, etc |
| 03-07-2018 | LMNTRIX LABS Finding – https://lmntrix.com/Lab/Lab_info.php?id=102 | ec917948471862504b19b643eb6e5e1f | crowdstrike, palo alto |
| 03-13-2018 | C:\kworking\kf54816.exe | e9e0448d44e3f6836a68e619c95d0460 | crowdstrike, microsoft, symantec, TrendMicro |
| 03-22-2018 | anx.mindspark.com (74.113.233.192) | 8e722dfde28bdfc6b2c15e4152d64ec5 | Cylance, McAfee, Microsoft, Palo Alto, TrendMicro |
| 03-22-2018 | dp.tb.ask.com (74.113.235.138) | 38092dffe8d4147e06ae9c8296a733ab | Cylance, McAfee, Microsoft, Palo Alto, TrendMicro |
| 04-06-2018 | http://download.driverupdate.net/5.5.0/x64/DriverUpdate-setup.exe | 6f3040136fcdc1d4082990958df32a5c | Cylance, Crowdstrike, Symantec, BitDefender, TrendMicro, Palo Alto, Sophos |
| 04-06-2018 | C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE\4P8HTX0P\ TransitSimplified.e9d0cbf2698f4cfc8b2a925b206ac3e6.exe | 97c128587b1c857867516a448d2fff76 | Cylance, Palo Alto, Symantec, TrendMicro, McAfee |
| 04-06-2018 | Exchange | 35c95218de2662011c234198dc12b7fb | Crowdstrike, Cylance, Microsoft, Sophos, BitDefender |
| 04-27-2018 | Exchange | a25c43b6adb93fcaa5f192cf2fbfd0a2 | Crowdstrike, Cylance, Palo Alto, Symantec, TrendMicro, etc. |
| 05-03-2018 | C:\Users\DEBRAE~1.CSP\AppData\Local\Temp\nsaB515.tmp\nsDialogs.dll | 069a101bebdfb14e86993cf75b84daae | Crowdstrike, Cylance, Palo Alto, TrendMicro, etc. |
| 05-14-2018 | pupdate.exe | 0c501ef71d3a3d27e9e24b5d26da1055 | Crowdstrike, Cylance, Palo Alto, TrendMicro, BitDefender, Symantec |
| 05-16-2018 | C:\Users\%user%\AppData\Local\Microsoft\Windows\INetCache\IE\C6Q9D2W1\ MyTransitPlanner.014a5ab5662c4d1cb4e1e8f3a04d4deb.exe | 18030b77a3d83be0904324d2b8ccc8b5 | Cylance, Palo Alto, McAfee, Symantec,Crowdstrike, TrendMicro |
| 05-22-2018 | C:\Users\%user%\AppData\Local\Microsoft\Windows\INetCache\IE\SIG7SW7Z\ onlineroutefinder.0f77d170234641e78a719e8d084949c3.exe | ce06e3a4d2a62043778c0e3d5e8aa4ab | Crowdstrike, Palo Alto, McAfee,Symantec, TrendMicro,Cylance |
| 06-05-2018 | C:\Users\%user%\AppData\Local\Microsoft\Windows\INetCache\IE\HX3P80ST\ YourTemplateFinder.4d34e29d850e4e01942f5bd40735d7dd.exe | 8fc2863ca41ffa67aa59b2ffe053d7e0 | Cylance, Palo Alto, BitDefender, Symantec, ClamAV, Cybereason |
| 06-05-2018 | C:\Users\%user%\AppData\Local\Microsoft\Windows\INetCache\IE\YK7SSNOO\ PasswordLogic.45180c2a5bde4efa999bd0a25ce6d965.exe | bafcdd571828c35c9aa63b10038e104e | Cylance, Palo Alto, BitDefender, TrendMicro, Sophos |
| 06-12-2018 | http://swms.505web.com/wp-content/uploads/GalleryPhotos/racing-in-new-mexico-300×200.jpg | 9b8fdc6a3d8e7fa06c89dbebff078a1c | Crowdstrike, BitDefender, TrendMicro, Symantec, Cybereason |
| 06-12-2018 | C:\Users\%user%\AppData\Local\Microsoft\Windows\INetCache\IE\QKHM34PO\ PDFConverterHQ.fcf715bf0e1a4a718c81d64bfb2bfda3.exe | ffd95187e3eba87391a52156e88baa01 | Cylance, Symantec, TrendMicro, Palo Alto, Cybereason |
| 07-10-2018 | URL: http://ak[.]imgfarm[.]com/ | b417bc52fcf3de63f53aff0d56be27ae | Cylance, Palo Alto, McAfee, TrendMicro, Symantec, Cybereason |
| 07-12-2018 | C:\Users\%user%\AppData\Local\Microsoft\Windows\INetCache\ IE\9R6LWJJS\FlightSearch.19e56bdac5ad4cb9b0b8f76c0cf559f0.exe | a1e9e35c35ed7cd8acc17f732be349b2 | Cylance,Symantec, TrendMicro, Cybereason |
| 07-31-2018 | C:\Users\%User%\AppData\Local\Temp\TMP882~1\duguse.exe | 6f474a9d994030159f308255dcde56c4 | Cylance, MalwareBytes |
| 08-01-2018 | http[:]//wcdownloadercdn[.]Lavasoft[.]com/4.3.1908.3686/WcInstaller.exe?X-OpenDNS-Session=_ac5107060d19c042a70b9f50a7f98b40646a9270f749_8c529ddf_ | 093a2ab652ca9de0751399c98be37eb5 | Crowdstrike, Cylance, BitDefender, MalwareBytes, McAfee, Palo Alto, Symantec, TrendMicro, Cybereason |
| 08-03-2018 | http[:]//mirrors[.]ocf[.]Berkeley[.]edu/kali/pool/main/m/mimikatz/mimikatz_2.1.1-20180616-0kali1_all.deb | c9824353fadb6ff2900bf48b345acf14 | MalwareBytes, McAfee, TrendMicro, Crowdstrike, Cylance, Palo Alto, Cybereason |
| 08-08-2018 | 34.209.102.204 (ec2-34-209-102-204.us-west-2.compute.amazonaws.com) | ff818f114588b2f94ba60515e2f6f258 | Cylance, Symantec, TrendMicro, Palo Alto, Cybereason |
| 08-15-2018 | hxxp://www[.]springdwnld2[.]com/download/? IP address: 50.63.202.14 [ Botnet Command & Control server] | 0d83a645018d9c2cd6ad9d00ff721636 | BitDefender, Cylance, MalwareBytes,McAfee, Palo Alto, Symantec, TrendMicro, Cybereason |
| 08-20-2018 | C:\Users\%User%\Downloads\SetupImgBurn_2.5.8.0.exe | 0b4c94f8480f8cd13e160bceaaaa8b29 | BitDefender, Crowdstrike, MalwareBytes, McAfee, Palo Alto |
| 08-21-2018 | http[:]//amazon-sudan.com[/]671846A/identity/Personal/ 144.76.73.24 | 92376b6e376b48dac3a28fb4d464ac92 | MalwareBytes, Cylance, Crowdstrike, Palo Alto, Cybereason |
| 08-29-2018 | C:\Users\%User%\AppData\Local\Yahoo\yset\webExt_DL.exe | f57fbb2d7e78805d40e0e85a4325141d | Crowdstrike, BitDefender, MalwareBytes, Kaspersky, McAfee, Symantec, Cybereason |
| 09-06-2018 | C:\Users\%User%\AppData\Local\Programs\CouponViewer\Add-On\2017.4.7.1\CVHP.exe | 6af5d425afc8ed742e1c2e6b835ca96b | BitDefender, Crowdstrike, McAfee, Palo Alto, TrendMicro, Cybereason |
So, if you’re worried the security solution you bought isn’t living up to its marketing hype, please get in touch with us at info@lmntrix.com or learn more about LMNTRIX at lmntrix.com.
Want to know more about next-generation security? Head over to the below articles to learn more.
- SIEMs, EDRs, SOCs, MSSPs – cyber security’s prophets
- Why SIEMs Are the Achille’s Heel of the Cybersecurity World
- If vendors spent less on marketing and more on capability, our job would be a lot harder
- Is Microsoft one of the most effective AV vendors on the planet?
- VIDEO – WHY YOUR SIEM MIGHT BE AS USEFUL AS A SELFIE-OBSESSED CELEBRITY
- The Three Pillars of Cybersecurity
- Stepping into the Breach
- LMNTRIX: Security Done Different