{"id":3044,"date":"2024-09-25T21:02:46","date_gmt":"2024-09-25T21:02:46","guid":{"rendered":"https:\/\/xdr-mdr.lmntrix.com\/main_web\/?p=3044"},"modified":"2025-07-29T07:00:15","modified_gmt":"2025-07-29T07:00:15","slug":"if-vendors-spent-less-on-marketing-and-more-on-capability-our-job-would-be-a-lot-harder","status":"publish","type":"post","link":"https:\/\/lmntrix.com\/blog\/if-vendors-spent-less-on-marketing-and-more-on-capability-our-job-would-be-a-lot-harder\/","title":{"rendered":"If vendors spent less on marketing and more on capability, our job would be a lot harder"},"content":{"rendered":"
\n
\"\"<\/figure>\n<\/div>\n\n\n

Cryptominers, keyloggers, and exploit kits. This is just a small sample of the malware we discovered in the environment of a financial services firm during a recent Proof of Concept. 

The client (our PoC was successful) had been using a \u2018next-gen\u2019 end-point protection solution, so was naturally confident it was protected\u2026 it didn\u2019t take long to shatter this illusion. 

Valyria, Ursnif, Spector, and Redkit were just some of malware variants we found on the system in various locations. Not only had all these attacks bypassed the firm\u2019s external defenses, but its end-point protection solution had completely failed to protect its end-points.

During the course of our PoCs, we compare our service against some of the world\u2019s largest vendors \u2013 Cylance, Symantec, Palo Alto Netorks,, Microsoft, McAfee, Crowdstrike Falcon, Trend Micro, Cyberreason, Sophos, MalwareBytes, BitDefender, and Clamav.   

We do this because we know the marketing dollars behind some of these firms is something we could never hope (nor want) to compete against. 

Where we do know we can compete, is where it actually matters \u2013 in the trenches, in our technical capability and expertise.  

During this particular four-month PoC, we found nine infections that had been successful (as well as stopping numerous attempted attacks). 

Below, we\u2019ve listed each of the pieces of malware we discovered, the vendors that missed them, and the hashes for security analysts to update their defenses. 

If vendors spent less money on marketing, and more on their technical capability, maybe the list would be shorter\u2026 it would mean our PoCs wouldn\u2019t be as effective, but it would also mean enterprises received the protection they paid for. <\/p>\n\n\n\n

Date Discovered<\/strong><\/td>File Location<\/strong><\/td>Hash (md5)<\/strong><\/td>Missed<\/strong><\/td><\/tr>
11-17-2017<\/td>C:\\ProgramData\\AppCache\\15\\<\/td>db66c0c457a93cb5edee3be08fe8482e<\/td>clamav; crowdstrike falcon, palo alto<\/td><\/tr>
11-17-2017<\/td>C:\\ProgramData\\AppCache\\14\\<\/td>2e3ef3fb0446bd89dc3fa5654561abfa<\/td>clamav, crowdstrike falcon, palo alto<\/td><\/tr>
11-20-2017<\/td>C:\\ProgramData\\UpdateService\\UpdateService.exe<\/td>7fc2305f251e97a3481377626bd43589<\/td>clamav<\/td><\/tr>
11-30-2017<\/td>C:\\Program Files (x86)\\AskPartnerNetwork\\Toolbar\\Updater<\/td>e2adbb633978703d346c137e367dea3e<\/td>crowdstrike falcon, cylance, palo alto, symantec, TrendMicro<\/td><\/tr>
11-30-2017<\/td>http:\\\/\\\/cdntc[.]advancedmaccleaner[.]com\/amc\/update\/helperamc.zip.
 67.219.149.66<\/td>		5bafb135e1d7ba0a5acd0fbbeb2a93e1<\/td>kapersky, microsoft, cylance, crowdstrike, etc.<\/td><\/tr>
12-06-2017<\/td>E:\\Tools\\PwDump7.exe<\/td>d1337b9e8bac0ee285492b89f895cadb<\/td>palo alto<\/td><\/tr>
12-09-2017<\/td>\u201cPending – World Company Registry 2018-2019 [REF:DRE-10336]\u201d with attachment \u201cwbl-F18.pdf\u201d<\/td>390cbdc7622c8feb24615fe26d6ec00b<\/td>cylance, crowdstrike, trendmicro, symantect, palo alto, microsoft, etc<\/td><\/tr>
12-09-2017<\/td>armmasnmcznxqieqqty[.]com (86.121.20.39:80)<\/td>6f0d2954ac01e40f78b858ae8538f622 4751f5e3b35e143a71c996fab767fd94<\/td>cylance, crowdstrike, kapersky<\/td><\/tr>
01-10-2018<\/td>C:\\Users\\actadmin\\AppData\\Roaming\\UPDATE~1\\UPDATE~1\\UPDATE~1.EXE<\/td>1819d2f1cef27c3ea9043805c32a67b6<\/td>cylance, palo alto, microsoft<\/td><\/tr>
01-11-2018<\/td>C:\\Windows\\winexesvc.exe<\/td>1dadc5a0c5ccf09a973293f9c8fa5565<\/td>cylance, palo alto, microsoft, crowdstrike falcon, symantec, clamav, mcafee, TrendMicro<\/td><\/tr>
02-06-2018<\/td>C:\\Windows\\winipbin\\svrltwp.dll<\/td>6c9d5bcf352bce26aeb44bfed8f9e837<\/td>cylance, crowdstrike, carbon black, symantec, mcafee, etc.<\/td><\/tr>
03-06-2018<\/td>C:\\Users\\Admin\\Appdata\\Local\\Temp\\Invoice\\#0516242<\/td>cf1e813a23ffad3773519915c116d49c<\/td>cylance, crowdstrike, mcafee, etc<\/td><\/tr>
03-07-2018<\/td>LMNTRIX LABS Finding – https:\/\/lmntrix.com\/Lab\/Lab_info.php?id=102<\/td>ec917948471862504b19b643eb6e5e1f<\/td>crowdstrike, palo alto<\/td><\/tr>
03-13-2018<\/td>C:\\kworking\\kf54816.exe<\/td>e9e0448d44e3f6836a68e619c95d0460<\/td>crowdstrike, microsoft, symantec, TrendMicro<\/td><\/tr>
03-22-2018<\/td>anx.mindspark.com (74.113.233.192)<\/td>8e722dfde28bdfc6b2c15e4152d64ec5<\/td>Cylance, McAfee, Microsoft, Palo Alto, TrendMicro<\/td><\/tr>
03-22-2018<\/td>dp.tb.ask.com (74.113.235.138)<\/td>38092dffe8d4147e06ae9c8296a733ab<\/td>Cylance, McAfee, Microsoft, Palo Alto, TrendMicro<\/td><\/tr>
04-06-2018<\/td>http:\/\/download.driverupdate.net\/5.5.0\/x64\/DriverUpdate-setup.exe<\/td>6f3040136fcdc1d4082990958df32a5c<\/td>Cylance, Crowdstrike, Symantec, BitDefender, TrendMicro, Palo Alto, Sophos<\/td><\/tr>
04-06-2018<\/td>C:\\Users\\%username%\\AppData\\Local\\Microsoft\\Windows\\INetCache\\IE\\4P8HTX0P\\
TransitSimplified.e9d0cbf2698f4cfc8b2a925b206ac3e6.exe<\/td>		97c128587b1c857867516a448d2fff76<\/td>Cylance, Palo Alto, Symantec, TrendMicro, McAfee<\/td><\/tr>
04-06-2018<\/td>Exchange <\/td>35c95218de2662011c234198dc12b7fb<\/td>Crowdstrike, Cylance, Microsoft, Sophos, BitDefender<\/td><\/tr>
04-27-2018<\/td>Exchange <\/td>a25c43b6adb93fcaa5f192cf2fbfd0a2<\/td>Crowdstrike, Cylance, Palo Alto, Symantec, TrendMicro, etc.<\/td><\/tr>
05-03-2018<\/td>C:\\Users\\DEBRAE~1.CSP\\AppData\\Local\\Temp\\nsaB515.tmp\\nsDialogs.dll<\/td>069a101bebdfb14e86993cf75b84daae<\/td>Crowdstrike, Cylance, Palo Alto, TrendMicro, etc.<\/td><\/tr>
05-14-2018<\/td>pupdate.exe<\/td>0c501ef71d3a3d27e9e24b5d26da1055<\/td>Crowdstrike, Cylance, Palo Alto, TrendMicro, BitDefender, Symantec<\/td><\/tr>
05-16-2018<\/td>C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Windows\\INetCache\\IE\\C6Q9D2W1\\
MyTransitPlanner.014a5ab5662c4d1cb4e1e8f3a04d4deb.exe<\/td>		18030b77a3d83be0904324d2b8ccc8b5<\/td>Cylance, Palo Alto, McAfee, Symantec,Crowdstrike, TrendMicro <\/td><\/tr>
05-22-2018<\/td>C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Windows\\INetCache\\IE\\SIG7SW7Z\\
onlineroutefinder.0f77d170234641e78a719e8d084949c3.exe<\/td>		ce06e3a4d2a62043778c0e3d5e8aa4ab<\/td>Crowdstrike, Palo Alto, McAfee,Symantec, TrendMicro,Cylance<\/td><\/tr>
06-05-2018<\/td>C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Windows\\INetCache\\IE\\HX3P80ST\\
YourTemplateFinder.4d34e29d850e4e01942f5bd40735d7dd.exe<\/td>		8fc2863ca41ffa67aa59b2ffe053d7e0<\/td>Cylance, Palo Alto, BitDefender, Symantec, ClamAV, Cybereason<\/td><\/tr>
06-05-2018<\/td>C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Windows\\INetCache\\IE\\YK7SSNOO\\
PasswordLogic.45180c2a5bde4efa999bd0a25ce6d965.exe<\/td>		bafcdd571828c35c9aa63b10038e104e<\/td>Cylance, Palo Alto, BitDefender, TrendMicro, Sophos<\/td><\/tr>
06-12-2018<\/td>http:\/\/swms.505web.com\/wp-content\/uploads\/GalleryPhotos\/racing-in-new-mexico-300×200.jpg<\/td>9b8fdc6a3d8e7fa06c89dbebff078a1c<\/td>Crowdstrike, BitDefender, TrendMicro, Symantec, Cybereason<\/td><\/tr>
06-12-2018<\/td>C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Windows\\INetCache\\IE\\QKHM34PO\\
PDFConverterHQ.fcf715bf0e1a4a718c81d64bfb2bfda3.exe<\/td>		ffd95187e3eba87391a52156e88baa01<\/td>Cylance, Symantec, TrendMicro, Palo Alto, Cybereason<\/td><\/tr>
07-10-2018<\/td>URL: http:\/\/ak[.]imgfarm[.]com\/<\/td>b417bc52fcf3de63f53aff0d56be27ae<\/td>Cylance, Palo Alto, McAfee, TrendMicro, Symantec, Cybereason<\/td><\/tr>
07-12-2018<\/td>C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Windows\\INetCache\\
IE\\9R6LWJJS\\FlightSearch.19e56bdac5ad4cb9b0b8f76c0cf559f0.exe<\/td>		a1e9e35c35ed7cd8acc17f732be349b2<\/td>Cylance,Symantec, TrendMicro, Cybereason<\/td><\/tr>
07-31-2018<\/td>C:\\Users\\%User%\\AppData\\Local\\Temp\\TMP882~1\\duguse.exe<\/td>6f474a9d994030159f308255dcde56c4<\/td>Cylance, MalwareBytes<\/td><\/tr>
08-01-2018<\/td>http[:]\/\/wcdownloadercdn[.]Lavasoft[.]com\/4.3.1908.3686\/WcInstaller.exe?X-OpenDNS-Session=_ac5107060d19c042a70b9f50a7f98b40646a9270f749_8c529ddf_<\/td>093a2ab652ca9de0751399c98be37eb5<\/td>Crowdstrike, Cylance, BitDefender, MalwareBytes, McAfee, Palo Alto, Symantec, TrendMicro, Cybereason<\/td><\/tr>
08-03-2018<\/td>http[:]\/\/mirrors[.]ocf[.]Berkeley[.]edu\/kali\/pool\/main\/m\/mimikatz\/mimikatz_2.1.1-20180616-0kali1_all.deb<\/td>c9824353fadb6ff2900bf48b345acf14<\/td>MalwareBytes, McAfee, TrendMicro, Crowdstrike, Cylance, Palo Alto, Cybereason<\/td><\/tr>
08-08-2018<\/td>34.209.102.204 (ec2-34-209-102-204.us-west-2.compute.amazonaws.com)<\/td>ff818f114588b2f94ba60515e2f6f258<\/td>Cylance, Symantec, TrendMicro, Palo Alto, Cybereason<\/td><\/tr>
08-15-2018<\/td>hxxp:\/\/www[.]springdwnld2[.]com\/download\/?
IP address: 50.63.202.14 [ Botnet Command &   Control server]<\/td>		0d83a645018d9c2cd6ad9d00ff721636<\/td>BitDefender, Cylance, MalwareBytes,McAfee, Palo Alto, Symantec, TrendMicro, Cybereason<\/td><\/tr>
08-20-2018<\/td>C:\\Users\\%User%\\Downloads\\SetupImgBurn_2.5.8.0.exe<\/td>0b4c94f8480f8cd13e160bceaaaa8b29<\/td>BitDefender, Crowdstrike, MalwareBytes, McAfee, Palo Alto<\/td><\/tr>
08-21-2018<\/td>http[:]\/\/amazon-sudan.com[\/]671846A\/identity\/Personal\/
144.76.73.24<\/td>		92376b6e376b48dac3a28fb4d464ac92<\/td>MalwareBytes, Cylance, Crowdstrike, Palo Alto, Cybereason<\/td><\/tr>
08-29-2018<\/td>C:\\Users\\%User%\\AppData\\Local\\Yahoo\\yset\\webExt_DL.exe<\/td>f57fbb2d7e78805d40e0e85a4325141d<\/td>Crowdstrike, BitDefender, MalwareBytes, Kaspersky, McAfee, Symantec, Cybereason<\/td><\/tr>
09-06-2018<\/td>C:\\Users\\%User%\\AppData\\Local\\Programs\\CouponViewer\\Add-On\\2017.4.7.1\\CVHP.exe<\/td>6af5d425afc8ed742e1c2e6b835ca96b<\/td>BitDefender, Crowdstrike, McAfee, Palo Alto, TrendMicro, Cybereason<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

So, if you\u2019re worried the security solution you bought isn\u2019t living up to its marketing hype, please get in touch with us at info@lmntrix.com<\/a> or learn more about LMNTRIX at lmntrix.com<\/a>. 

Want to know more about next-generation security?  Head over to the below articles to learn more.<\/p>\n\n\n\n