The Windows Update client has just been added to the list of living-off-the-land binaries (LoLBins) attackers can use to execute malicious code on Windows systems. Loaded in this way, the harmful code can bypass the system protection mechanism.
If you are not familiar with LoLBins, those are Microsoft-signed executable files download or bundled with the OS that can be used a third-party to evade detection while downloading, installing, or executing malicious code. Windows Update client (wuauclt) appears to be one of them.
The tool is located under %windir%\system32\wuauclt.exe, and is designed to control Windows Update (some of its features) from the command line.
MDSec researcher David Middlehurst discovered that wuauclt can also be used by attackers to execute malicious code on Windows 10 systems by loading it from an arbitrary specially crafted DLL with the following command-line options:
wuauclt.exe /UpdateDeploymentProvider [path_to_dll] /RunHandlerComServer
The Full_Path_To_DLL portion is the absolute path to the attacker's specially crafted DLL file that would execute code on attach. Being running by the Windows Update client, it enables attackers to bypass anti-virus, application control, and digital certificate validation protection. The worst thing is that Middlehurst also found a sample using it in the wild.
It is worth noting that earlier it was discovered that Microsoft Defender included the ability to download any file from the Internet and bypass the security checks. Luckily, starting in Windows Defender Antimalware Client version 4.18.2009.2-0 Microsoft has removed the appropriate option from the app, and it can no longer be used for quiet file downloads.
Source: Bleeping Computer
Winaero greatly relies on your support. You can help the site keep bringing you interesting and useful content and software by using these options:
If you like this article, please share it using the buttons below. It won't take a lot from you, but it will help us grow. Thanks for your support!