BEWARE! Hackers Use Windows 10's Innocent Feature to Hide Malware Attacks

New Windows 10 LOLBin Can Mask Malware Attacks, Launched as Part of Personalization CSP
New Windows 10 LOLBin Can Mask Malware Attacks, Launched as Part of Personalization CSP Tadas Sar on Unsplash

Windows 10 innocent feature called LOLBin can be used by hackers to hide malware attacks. According to TechRadar's later report, a new living-off-the-land binary (LOLBin) in Windows 10 was identified by the researchers to be used by the cyberattacker and other hackers to exploit and conceal malware attacks.

Also Read: BEWARE: These 25 Android Apps Can Steal Your Facebook Logins; Here's What to Do

New Windows 10 LOLBin Can Mask Malware Attacks, Launched as Part of Personalization CSP
New Windows 10 LOLBin Can Mask Malware Attacks, Launched as Part of Personalization CSP Tadas Sar on Unsplash

Also Read: BEWARE: 1,000 Data on Lenovo are Wiped Off by Hackers, and Now Blackmailing Users for $200-$275 Ransoms to Return Data

The report explained that all LOLBins, which serve a legitimate function, are numerously present in Windows 10. However, hackers can abuse these binaries, using the right privileges, to conduct attacks by bypassing security facilities, without the victim even noticing. The security firm SentinelOne discovered the new LOLBin (desktopimgdownldr.exe), which is usually responsible for the safe task of lock screen backgrounds and setting custom desktop.

Also Read: BEWARE: New Powerful Android Malware, FakeSpy, Targets Royal Mail UK and Various Postal and Delivery Service

The binary, which can be found in the Windows 10 system32 folder, can reportedly be used as an alternative to widely known LOLBin certutil.exe., acting as a "stealthy downloader".

According to SentinelOne's report, users can download a file from a WebServer using only a couple of default system-signed executables, in which every threat hunter and security product specifically looks for signs of abuse and misuse by threat actors.

Abuse of the LOLBin tools can be prevented by uncovering novel ones and helping researchers and security practitioners, while its usage in the wild has been extensively written.

New Windows 10 LOLBin can mask malware attacks, launched as part of personalization CSP

The desktopimgdownldr.exe allows administrators to lock and set a user's background image, deployed as part of Personalization CSP. The report explained that by deleting the registry immediately after running the binary, a cyber attacker or a hacker could sidestep this red flag. In contrast, the binary would traditionally override the existing desktop image.

New Windows 10 LOLBin Can Mask Malware Attacks, Launched as Part of Personalization CSP
New Windows 10 LOLBin Can Mask Malware Attacks, Launched as Part of Personalization CSP Tadas Sar on Unsplash

The process is specifically designed to allow a malicious file to be delivered onto the system by the hacker, undetected. Standard users can also abuse a particular function to run the LOLBin without administrator status, although the binary is developed to be run by privileged users only.

The executable fails to alter the background image, since the user lacks the necessary authorization, when triggered by a standard user, leaving no other evidence than the downloaded file. Security researchers from the SentinelOne advise other security practitioners to mitigate the threat posed by updating their watchlists and treating the newly identified LOLBin as they would exploit the widely exploited alternative certutil.exe.

Also Read: WARNING: These 1,000 Phrases Can Incorrectly Activate Siri, Alexa, and Google Assistant: Privacy Intrusion Might Happen

ⓒ 2024 TECHTIMES.com All rights reserved. Do not reproduce without permission.
Join the Discussion
Real Time Analytics