- Dear All I observed weird strings appeared in a DLL module loaded by the ccSvcHst.exe "Symantec Process" in memory
- During analysis of this DLL module I found a string pointing to a rasomeware domain on onion network
- First I suspected it could be related to virus definiations update, however examining this module I didn't find any other domains or strings except for this site, with my search I found its a C2 that is being used by ransomeware as a service
"http://kdvm5fd6tn6jsbwh[.]onion[.]to"
- I need some help to identify is this a legtimate symantec behaviour or its something I need to dig deeper
- I reached to symantec support and didn't get a solid reply yet
- Any feedback will be much appreciated specially I didn't spot this module on all machines in the network with symantec endpoint installed.