Mocked Folders of the DBatLoader, Source: Sentinel One. To do this, you append a space to these names. As a user, you can create folders that have names similar to Windows' trusted folders. Unfortunately, there is a second vulnerability in Windows that sails as a "mocked folder". Then the associated process gets elevated system privileges via auto-elevation without displaying a UAC prompt. And as a last condition, the program must be located in a trusted directory like: In addition to the requirement in the manifest that there be an auto-elevation of user privileges (then the program automatically requests the elevated user privileges at startup, which triggers the UAC request), the program must be properly digitally signed. A program that requires elevated user rights at startup, if other prerequisites are present, then triggers no user account control (UAC) query.ĭavis Wellis uncovered this in 2018 in the post UAC Bypass by Mocking Trusted Directories on Medium. Microsoft has defined so called trusted folders in Windows. I confess, it was not clear to me until now or I never thought about it. But there are two pitfalls that make this a night mare. Standard users need an administrator account password to do this. Microsoft did introduce User Account Control (UAC) with Windows Vista to let users confirm requests for elevated user privileges by applications via a UAC message. That's why I'm presenting the facts separately below. I had overheard it in passing from my colleagues at Bleeping Computer, but had not grasped the explosive nature of the whole thing. This allows attackers to perform advanced activities without alerting users. This script abuses a known method of bypassing Windows User Account Control, where trusted directories, such as %SystemRoot%\System32, are faked by using spaces at the end of the script. The malware then creates and executes an initial Windows batch script in the %Public%\Libraries directory. If the recipient of the phishing email decompresses this archive and executes the unzipped executable, DBatLoader downloads and executes an obfuscated second stage payload from a public cloud location (Google Drive, OneDrive). Inside it are the DBatLoader files, which usually disguise themselves as Microsoft Office, LibreOffice or PDF documents by using duplicate extensions and/or application icons, but contain the Remcos RAT malware. The attachment of the phishing emails contains a tar.lz archive. The Sentinel One article explains how the attack works in order to get the Remcos RAT malware onto the system. Colleagues at Bleeping Computer had picked up on it in this post. Security researchers at Sentinel One have documented this campaign in this blog post. The Remcos RAT malware is to be foisted on them – the attackers can then use the Remote Access Tool (RAT) to access the infected systems. Currently there is a new phishing campaign targeting companies in Eastern European countries.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |