Windows Update can be used in a bad way to execute malicious programs

The Windows Update client has just been added to the list of living-off-the-land binaries (LoLBins) attackers can use to execute malicious code on Windows systems. Loaded in this way, the harmful code can bypass the system protection mechanism.

Monitor Hardware Banner Binary

If you are not familiar with LoLBins, those are Microsoft-signed executable files download or bundled with the OS that can be used a third-party to evade detection while downloading, installing, or executing malicious code. Windows Update client (wuauclt) appears to be one of them.

The tool is located under %windir%\system32\wuauclt.exe, and is designed to control Windows Update (some of its features) from the command line.

MDSec researcher David Middlehurst discovered that wuauclt can also be used by attackers to execute malicious code on Windows 10 systems by loading it from an arbitrary specially crafted DLL with the following command-line options:

wuauclt.exe /UpdateDeploymentProvider [path_to_dll] /RunHandlerComServer

The Full_Path_To_DLL portion is the absolute path to the attacker's specially crafted DLL file that would execute code on attach. Being running by the Windows Update client, it enables attackers to bypass anti-virus, application control, and digital certificate validation protection. The worst thing is that Middlehurst also found a sample using it in the wild.

It is worth noting that earlier it was discovered that Microsoft Defender included the ability to download any file from the Internet and bypass the security checks. Luckily, starting in Windows Defender Antimalware Client version 4.18.2009.2-0 Microsoft has removed the appropriate option from the app, and it can no longer be used for quiet file downloads.

Source: Bleeping Computer

Advertisment

Leave a Reply

Your email address will not be published. Required fields are marked *