Сlarity and Trust – We take pride in being the site where you can feel free to express your opinion and leave feedback. Whenever you click on the websites of products reviewed by us, we participate in the revenue sharing and get commissions that help us maintain our project. Read more about how we work.

Attackers can use Microsoft Defender to download viruses and malware

Now Reading
Attackers can use Microsoft Defender to download viruses and malware

The latest update to Microsoft Defender Antivirus for Windows 10 allows using it to download viruses, malware, and other files to Windows computer.

[dropcap]Security[/dropcap] researcher Muhammad Askar discovered this ability to download malware.

The Microsoft Defender Command Line Tool update now includes a new command line argument -DownloadFile. The directive allows a local user to use the Microsoft Antimalware Service Command Line Utility (MpCmdRun.exe) to download a file from a remote location using a dedicated command.

“Well, you can download a file from the internet using Windows Defender itself. In this example, I was able to download Cobalt Strike beacon using the binary ‘MpCmdRun.exe’ which is the ‘Microsoft Malware Protection Command Line,” — Askar stated on Twitter.

This allows a local attacker to effectively use the Defender as a so-called “living-off-the-land binary” (LOLBin). This the case, when legitimate software is used for malicious manipulation – for example, to download a virus using an anti-virus program.

It looks like this new ability was added to Defender with the July update as 4.18.2007.8, so the functionality has been there for almost two months now.

Bleeping Computer experts tested the boot method found by Mohammed Askar and using a string to download the ransomware WastedLocker, which recently caused serious problems in Garmin’s infrastructure, prompting the company to reportedly pay a multi-million dollar ransom.

“The good news is that Microsoft Defender will detect malicious files downloaded with MpCmdRun.exe, but it is unknown if other AV software will allow this program to bypass their detections.”, – write Bleeping Computer specialists.

However, only a local user can initiate such download.

However, this adds a headache for network administrators – they now have an additional Windows executable file that they need to monitor so that it is not used against enterprise security.

As a reminder, last month the DisableAntiSpyware function in the registry was disabled in Microsoft Defender: the value assigned to it (0 – enabled, 1 – disabled) after installing the update will be ignored. Thus, the tech giant took away from users the ability to permanently disable the antivirus solution.

At the same time, Microsoft Defender behaves very strangely, if not to say impudently – we wrote that Microsoft Defender considered CCleaner to be a malicious application, then by considering the HOSTS file to be malicious if it blocks telemetry. It looks like Windows users got a real Pandora’s Box in their computers.

What's your reaction?
Love It
Like It
Want It
Had It
Hated It
About The Author
Vladimir Krasnogolovy
Leave a response

Leave a Response