Bypass Record

Obfuscation / Packing × ESET NOD32 Antivirus

A publicly-reported instance of Obfuscation / Packing bypassing ESET NOD32 Antivirus, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

ESET NOD32 Antivirus

Technique

Obfuscation / Packing

MITRE ATT&CK

T1027

Confidence

High

Severity

High

Status

poc

Disclosed

2023-08-25

Config / version noted

Not stated

Provenance

citadelo.com
disclosed 2023-08-25 · original source · via raw

Reported as

bypassed ESET NOD32 antivirus by modifying the Meterpreter DLL source and recompiling, and by embedding encoded shellcode

Mechanism

The attack evaded NOD32 by: 1) Recompiling the metsrv.x86.dll from source with debug build to change its signature, preventing detection when loaded reflectively. 2) Generating shikata_ga_nai-encoded Meterpreter shellcode, embedding it in a C++ executable, and adding a runtime check that only executes the payload if the executable filename matches a specific string, avoiding static analysis detection.

Detection & mitigation

Monitor for suspicious process creation with unusual command-line arguments or filenames that match known penetration testing tools. Use behavior-based detection to identify Meterpreter-like network connections and in-memory DLL loading patterns. Ensure AV signatures are updated and consider application whitelisting to prevent execution of unauthorized binaries.

Obfuscation / Packing has also been recorded against

Bitdefender Elastic Microsoft

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.