Environment
- Carbon Black Cloud Sensor
- NSudo Application
Question
Why was NSudo.exe, with hash 19896a23d7b054625c2f6b1ee1551a0da68ad25cddbb24510a3b74578418e618, blocked?
Answer
Although nsudo.exe used to be included as part of the VMware OS Optimization Tool. The use of nsudo.exe has now been deprecated.
Unfortunately, as of late, nsudo.exe has been leveraged by attackers, particularly as a privilege escalation tool, used sometimes to disable MS Defender, or to make unwanted system modifications, as described in the Threat Intelligence write-up below:
BATLOADER: The Evasive Downloader Malware – VMware Security Blog
For this reason, the binary has been now categorized as potentially unwanted application (PUA), which, like suspect malware, should be blocked or terminated at execution.
Additional Notes
Although the tool does not become a threat until it is weaponized as described in the write-up, we recommend removing it from the machines as a precautionary step.
Related Content
