Endpoint Protection

 View Only

  • 1.  Weird Strings appeared on Symantec module

    Posted Feb 17, 2019 02:35 AM

    - Dear All I observed weird strings appeared in a DLL module loaded by the ccSvcHst.exe "Symantec Process"  in memory

    - During analysis of this DLL module I found a string pointing to a rasomeware domain on onion network

    - First I suspected it could be related to virus definiations update, however examining this module I didn't find any other domains or strings except for this site, with my search I found its a C2 that is being used by ransomeware as a service

    "http://kdvm5fd6tn6jsbwh[.]onion[.]to"

    - I need some help to identify is this a legtimate symantec behaviour or its something I need to dig deeper

    - I reached to symantec support and didn't get a solid reply yet

    - Any feedback will be much appreciated specially I didn't spot this module on all machines in the network  with symantec endpoint installed.

     



  • 2.  RE: Weird Strings appeared on Symantec module

    Posted Feb 17, 2019 02:41 AM

    - I found the below article but when I compared this to what I have I found it contains more than one domain but in my case I have only single domain appears in the memory dump so I don't think it matches my case

     

    https://support.symantec.com/en_US/article.TECH236384.html

     

     



  • 3.  RE: Weird Strings appeared on Symantec module

    Posted Feb 17, 2019 11:57 AM

    May be best to engage support.