The samples I created successfully download and execute malicious code. Juts by changing the link inside, I can change what gets downloaded and because obfuscation relies on randomly-generates algorithms, it’s fair to say that my 20-minute craft is also polymorphic.Such an attack will bypass many security solutions. The modified 0-day loader does not do anything malicious so it can be stopped by WD with some ASR rules, but not by default settings. Generally, AV home versions are not good to fight such attacks. Although KIS (default settings) has better protection than most Home AVs, it can fail in many cases too. There are so many possibilities that any generic algorithm cannot be sufficiently good.
The modified version of nanocore that gets executed is fully functional, it didn’t fail to obtain credentials stored in Google Chrome. It also communicated to its C&C server.
I could easily distribute this sample, if I wanted. This is another proof that performance achieved on 0-day tests in labs is virtually impossible.
Last edited by a moderator: