Have you tried signing it with a valid certificate? I suspect that you'll see a similar (if not worse) detection rate drop.
Do patch #CVE-2020-0601 ASAP to avoid #ChainOfFools attacks. The delicately crafted signed #ransomware with #Microsoft root certificate in our test could pass certificate verification and detection rate drops dramatically afterwards.
https://www.virustotal.com/gui/file/d6ab910259c9bc68196aeec3e9ff4864bada22738c02ecf5ada7912ced292d28/detection …pic.twitter.com/D9ApXqiFZC
-
-
-
I agree - we wrote about this in our FIN7 blog, linking to academic research, and presented anomaly yara rules that applied for that as well as CVE-2020-0601. Pure static detection: you'd be better off with a valid cheap cert vs.
#CurveBall https://twitter.com/ItsReallyNick/status/1217916473685004288?s=20 …pic.twitter.com/WndX0c2P0U
Kraj razgovora
Novi razgovor -
-
-
Ah, I've just noticed your samples. This tweet explains it.
Hvala. Twitter će to iskoristiti za poboljšanje vaše vremenske crte. PoništiPoništi
-
-
-
Chainoffools? Seriously?
Hvala. Twitter će to iskoristiti za poboljšanje vaše vremenske crte. PoništiPoništi
-
-
-
Hvala. Twitter će to iskoristiti za poboljšanje vaše vremenske crte. PoništiPoništi
-
-
-
Why the hell are heuristics engines using signed vs unsigned *AT ALL* as a measure of confidence in the maliciousness of an executable? It’s supposed to ensure it comes from where you expect it to, it doesn’t mean squat about what it does.
- Još 1 odgovor
Novi razgovor -
Čini se da učitavanje traje već neko vrijeme.
Twitter je možda preopterećen ili ima kratkotrajnih poteškoća u radu. Pokušajte ponovno ili potražite dodatne informacije u odjeljku Status Twittera.