Windows 10 background image tool can be abused to download malware

CyberTech

CyberTech

Level 44
Thread author
Verified
Top Poster
Well-known
Nov 10, 2017
3,250
Content source
https://www.bleepingcomputer.com/news/security/windows-10-background-image-tool-can-be-abused-to-download-malware/
A binary in Windows 10 responsible for setting an image for the desktop and lock screen can help attackers download malware on a compromised system without raising the alarm.
Known as living-of-the-land binaries (LoLBins), these files come with the operating system and have a legitimate purpose. Attackers of all colors are abusing them in post-exploitation phases to hide malicious activity.

The new LoL in the Bin
An attacker can use LoLBins to download and install malware, bypass security controls such as UAC or WDAC. Typically, the attack involves fileless malware and reputable cloud services.
Click to expand...

www.bleepingcomputer.com

Windows 10 background image tool can be abused to download malware

A binary in Windows 10 responsible for setting an image for the desktop and lock screen can help attackers download malware on a compromised system without raising the alarm.
www.bleepingcomputer.com www.bleepingcomputer.com
 
  • Like
  • +Reputation
  • Wow
Reactions: Protomartyr, Andy Ful, jogs and 5 others
silversurfer

silversurfer

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,176
labs.sentinelone.com

Living Off Windows Land - A New Native File "downldr" - SentinelLabs

A newly discovered LOLBin offers an alternative to certutil for helping adversaries download files from a remote server. Meet desktopimgdownldr.exe.
labs.sentinelone.com labs.sentinelone.com
Executive Summary
  • Security professionals care about uncovering LOLBins; we found a new one that can be used to download arbitrary files as an alternative to certutil.
  • It can be run by standard users on most versions of Window 10 used in the enterprise.
  • EDR practitioners should update their queries and watchlists to treat desktopimgdownldr.exe (new LOLBin binary) like certutil.exe.
Click to expand...
 
  • Like
Reactions: Protomartyr, CyberTech, Andy Ful and 3 others
jogs

jogs

Level 22
Verified
Top Poster
Well-known
Nov 19, 2012
1,113
Is there anything in Windows that can't be abused!
I think every program can be abused, no matter how much a program is updated and patched there will always be a way to hack it.
Its also true for hardware, whatever protection the vendor makes there will always be someone who will be able to crack that protection.
 
  • Like
Reactions: Gandalf_The_Grey and WhiteMouse
You must log in or register to reply here.

Similar threads

Gandalf_The_Grey
    • Like
    • +Reputation
Hackers abuse Windows error reporting tool to deploy malware
Replies
3
Views
1,058
News Archive
NoVirusThanks
NoVirusThanks
Sandbox Breaker
    • Like
    • Applause
AWS SSM Agent can be used as a RAT
Replies
0
Views
1,041
News Archive
Sandbox Breaker
Sandbox Breaker
Victor M
    • Like
OpenEDR - anti-hacker and anti-malware tool
Replies
26
Views
1,675
Other security for Windows, Mac, Linux
Shadowra
Shadowra

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top