It’s a MBR destroyer malware that was able to bypass some products like Avast, Bitdefender, ESET. Also bypassed Avast’s CyberCapture, ESET’s cloud sandbox and some public sandbox services gave it only a 6/10 malicious confidence.
So I guess it’s not easy to detect it. I tested it on a VM with Avast and it wasn’t bootable anymore after restart.
Anyway, I hope the Avast team can find some kind of heuristic detection for it to block similar variants and update the behavior blocker to block malware like this. For example, Avira, Norton, Kaspersky detected it by heuristics prior to execution.
I submitted to Avast already:
Edit: To my surprise, within 10 minutes of my submission now it’s detected as “FileRepMalware [Misc]” for the main one, and I also tried changing file hash which was detected as “Win64:Trojan-gen”. So it’s not just a file based hash blocking. It actually found something malicious in the code and created a signature and pushed via stream updates.
WoW! So an automated generic detection in less than 10 minutes? That’s super impressive. Not sure if any other products have this kind of fast automated signature creation system. I was aware of Avast’s automation but didn’t know that it can even create generic detections like this.
I still hope an Avast analyst get a hold of sample like this one and also cover it via behavior detection if possible so that Avast can protect user whether the sample was previously seen by Avast or not. MBR can be destroyed in less than a second, so it’s important to protect it.