BLOG: Researchers Expose Malware Trick Used To Bypass Antivirus Software

Researchers have recently divulged substantial security weaknesses surrounding common software applications, these weaknesses provide gateways that could be mistreated in order to disable their protections and take control of allow-listed applications to perform nefarious operations on behalf of the malware to defeat anti-ransomware defences.

The twin attacks, detailed by academics from the University of Luxembourg and the University of London, are aimed at avoiding the protected folder feature offered by antivirus systems to encrypt files (aka “Cut-and-Mouse”) and deactivating their real-time protection by imitating and mimicking mouse “click” events (aka “Ghost Control”).

Criminals in the threat landscape are constantly finding new ways to evade the high levels of security executed by antivirus software providers, antivirus software providers always present high levels of security and they are an essential element in the everyday struggle against criminals. This alludes to the idea that any deficiencies in malware mitigation software could not only permit unauthorised code to turn off their protection features but also show that the design flaws in Protected Folders solution provided by antivirus vendors could be abused by ransomware to change the contents of files using an app that’s provisioned write access to the folder and encrypt user data, or a wipeware to irreversibly destroying individual files of victims.

Protected Folders allows users to specify folders that involve a supplementary layer of protection against destructive software, by this means theoretically obstructing and blocking any dangerous entrance to the protected folders.

Researchers stated that a small set of whitelisted applications are granted privileges to write to protected folders, but, these whitelisted applications are not safeguarded from being misused by other applications. The malware can perform operations on protected folders by using whitelisted applications as intermediaries, making the trust somewhat unwarranted.

An attack scenario devised by the researchers revealed that malicious code could be used to control a trusted application like Notepad to perform write operations and encrypt the victim’s files stored in the protected folders. The ransomware inspects the files in the folders, then encrypts them in memory, and copies them to the system clipboard, following which the ransomware propels Notepad to rewrite the folder contents with the clipboard information.

Even worse, by leveraging Paint as a trusted application, the researchers found that the attack sequence could be used to overwrite user’s files with a randomly generated image to destroy them permanently. Ghost Control attack conceivably will have serious consequence, alongside shutting off malware protection by mimicking genuine and authentic actions from the user performed on the user interface of an antivirus solution could allow an adversary to implement any rogue program from a remote server under their control.

In total, the 29 antivirus solutions evaluated during the study found that 14 of them were vulnerable to the Ghost Control attack, whereas all 29 antivirus programs examined were found to be at risk from the Cut-and-Mouse attack, however, researchers did not name suppliers who were involved or affected.

The rulings are a clear notice that security solutions that are openly intended to protect digital assets from malware attacks can experience weaknesses themselves, essentially defeating their purpose. Many antivirus software providers persist with methods that will solidify defences but this does not stop threat actors and malware authors from being able to get past these barriers using evasion and obfuscation tactics.

Components interrelate with one another and with other parts of the system, but this also means an attacker can interact as well, more importantly in ways that were not predicted nor anticipated by the creator.