CertUtil.exe Could Allow Attackers To Download Malware While Bypassing AV

LASER_oneXM

LASER_oneXM

Level 37
Thread author
Verified
Top Poster
Well-known
Feb 4, 2016
2,520
Content source
https://www.bleepingcomputer.com/news/security/certutilexe-could-allow-attackers-to-download-malware-while-bypassing-av/
Windows has a built-in program called CertUtil, which can be used to manage certificates in Windows. Using this program you can install, backup, delete, manage, and perform various functions related to certificates and certificate stores in Windows.
One of the features of CertUtil is the ability to download a certificate, or any other file for that matter, from a remote URL and save it as a local file using the syntax "certutil.exe -urlcache -split -f output.file". Security researcher [URL='https://twitter.com/subTee']Casey Smith tweeted in 2017 his concerns that this method could be used to download malware.
Click to expand...
Using CertUtil+Base64 to Bypass Security Software

Today security consultant and ISC Handler Xavier Mertens published a handler diary that adds a twist to the use of CertUtil that may make it easier for attacker's downloads to remain undetected by edge security devices. This is to first base64 encode the malicious file so it appears as harmless text and then decode it after it has been downloaded using CertUtil.exe.


As already discussed, you can download a file using CertUtil.exe by using the following command:

certutil.exe -urlcache -split -f output.file

This will download the file in its original form and save it to the computer. The problem with this method is that network security devices can detect the file as malicious and block it.
...
.....
Click to expand...
http:// output.file This will down...as malicious and block it. ... ..... [/QUOTE][/QUOTE]
 
  • Like
Reactions: Daviworld, Andy Ful, upnorth and 7 others
You must log in or register to reply here.

Similar threads

silversurfer
    • Like
    • +Reputation
Beware of MalDoc in PDF: A New Polyglot Attack Allowing Attackers to Evade Antivirus
Replies
1
Views
715
News Archive
Andy Ful
Andy Ful
CyberTech
    • Like
    • +Reputation
    • Wow
RustBucket malware: A PDF could finish your Mac
Replies
0
Views
969
News Archive
CyberTech
CyberTech
vtqhtr413
    • Like
    • +Reputation
Bypassing Bitlocker, Security Engineer shows us How
Replies
4
Views
1,385
News Archive
wat0114
wat0114

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top