URGENT SUPPORT REQUEST: ADVANCED STEALER MALWARE INJECTION INTO KASPERSKY PROCESS (Revised for AI Credit)

[Lê Huy Hoàng]

1. Initial Context and Symptoms

• Infection Vector: Likely initiated by running a cracked tool/software.

• Symptoms: Received unsolicited Microsoft one-time codes and password reset emails.

• Security Setup: The affected machine runs Windows 10/11 with Kaspersky running in real-time (no alerts).

2. Technical Findings (Forensics)

The following critical findings were discovered not through manual user inspection, but through an AI-assisted diagnostic process:

• AI-Guided Diagnostics: I used an AI Assistant to analyze suspicious system behavior after initial self-detection failed. The AI guided me through terminal commands (such as netstat -ano and tasklist) to map network connections to running processes.

• Crucial Discovery (The Compromise):

  • The diagnostic process identified a highly suspicious external connection associated with PID 5752.

  • Mapping PID 5752 confirmed it belongs to the Kaspersky (32 bit) process.

  • The connection was directed to a foreign, non-Kaspersky IP: 81.19.104.253 (in Russia).

  • Conclusion: This provides strong evidence that a Stealer/Trojan malware used Process Injection to hide and operate within the trusted Kaspersky process space, thus neutralizing the protection and exfiltrating data.

3. Damage Assessment and Actions Taken

• Data Compromise: High risk that the Enpass Master Password and local files have been compromised.

• Immediate Actions:

  1. Network Disconnection: Permanently disconnected the machine from the internet.

  2. Emergency Password Change: Changed all critical passwords using a separate, trusted device.

  3. Future Plan: Planning a full, clean Windows reinstall.

4. Request to Kaspersky Experts

I am seeking the community's and Kaspersky's official guidance on:

1. Confirming the validity of this AI-assisted finding regarding Process Injection into the Kaspersky process.

2. Guidance on how to formally report this sample and the associated C2 IP (81.19.104.253) for analysis by Kaspersky Labs.

3. Any recommended steps for advanced artifact analysis that should be performed before the system is completely wiped.

[Berny]

@Lê Huy Hoàng Weclome.

20 minutes ago, Lê Huy Hoàng said:

Request to Kaspersky Experts

Please reach out to the Kaspersky Technical Support team via https://support.kaspersky.com/b2c

[Schulte]

Nice AI-generated text.
Can you please repost that in your own words?
There are a few inconsistencies. For example, what data was transferred to the unknown IP? Was it taken into account that Kaspersky essentially acts as a proxy? Who claims that the IP belongs to Russia (it is actually located in Frankfurt, Germany)?

With further information, it might be possible to make a statement, but not yet.

[andrew75]