CyberSecurity news
FlagThis - #windowssecurity
|
@www.csoonline.com
//
A new cybersecurity threat has emerged, putting Windows users at risk. A tool called 'Defendnot' can disable Microsoft Defender, the built-in antivirus software in Windows 10 and 11. This is achieved by registering a fake antivirus product through an exploited vulnerability in the Windows Security Center (WSC) API. This exploit tricks Windows into thinking another antivirus solution is managing real-time protection, causing it to automatically disable Microsoft Defender to avoid conflicts. Even if no real antivirus software is installed, Defendnot can still successfully deactivate the system's primary defense, leaving the computer vulnerable to malicious attacks.
The Defendnot tool, created by a security researcher known as es3n1n, takes advantage of an undocumented WSC API intended for antivirus software manufacturers. This API allows legitimate antivirus programs to inform Windows that they are installed and handling real-time protection. Defendnot abuses this functionality by simulating a valid antivirus product, passing all of Windows' verification checks. This exploitation raises concerns about the security of the WSC API and the potential for other malicious actors to utilize similar techniques to bypass Windows' built-in security measures. This isn't the first attempt to exploit this vulnerability. An earlier tool, named "no-defender," was previously released but faced a DMCA takedown request after gaining significant attention. The developer was accused of using code from a third-party antivirus product to spoof registration with the WSC. Defendnot is a replacement for that tool, and it also features a loader enabling customized antivirus names, registration deactivation, and verbose logging, as well as allows automated execution via the Windows Task Scheduler for persistence. Microsoft is aware of the problem and has begun flagging the tool as potentially malicious software, being tracked and quarantined as 'Win32/Sabsik.FL.!ml'.
Share:
References :
Classification:
@gbhackers.com
//
Cybersecurity researchers have recently uncovered a sophisticated malware campaign targeting Windows systems through the exploitation of AutoIT scripts. AutoIT, a scripting language initially designed for Windows automation, has become a popular tool in the malware ecosystem due to its simplicity and ability to interact with various Windows components. This particular campaign stands out for its use of a double layer of AutoIT code and intricate obfuscation techniques, allowing it to evade detection and maintain persistence on infected machines.
The attack begins with a compiled AutoIT executable file named "1. Project & Profit.exe" (SHA256: b5fbae9376db12a3fcbc99e83ccad97c87fb9e23370152d1452768a3676f5aeb). Upon execution, this file downloads an AutoIT interpreter, saving it as "C:\Users\Public\Guard.exe," along with another AutoIT script, stored as "Secure.au3," and a PowerShell script named "PublicProfile.ps1." The "PublicProfile.ps1" script is immediately generated and executed, facilitating further stages of the infection. Persistence is achieved by creating a .url shortcut in the Windows Startup directory, ensuring that a JavaScript file is triggered upon each user login. This JavaScript file then re-executes the AutoIT interpreter with a second-stage script, keeping the malicious processes active. The second layer of AutoIT code, referred to as script "G," employs heavy obfuscation to hinder analysis. All strings within this script are encoded using a custom function called "Wales," which transforms ASCII values into a readable format only after decoding. An example of this obfuscation is the encoded sequence "80]114]111]99]101]115]115]69]120]105]115]116]115]40]39]97]118]97]115]116]117]105]46]101]120]101]39]41," which, when decoded, reveals "ProcessExists('avastui.exe')." This suggests the malware checks for antivirus processes to potentially avoid detection or alter its behavior. The attack culminates in the execution of a malicious DLL named "Urshqbgpm.dll" by injecting it into a "jsc.exe" process.
Share:
References :
Classification:
Zeljka Zorz@Help Net Security
//
Microsoft is warning Windows users about a actively exploited vulnerability, CVE-2025-24054, which allows attackers to capture NTLMv2 responses. This can lead to the leakage of NTLM hashes and potentially user passwords, compromising systems. The vulnerability is exploited through phishing attacks utilizing maliciously crafted .library-ms files, prompting users to interact with the files through actions like right-clicking, dragging and dropping, or simply navigating to the folder containing the malicious file. The original version,NTLMv1, had several security flaws that made it vulnerable to attacks such aspass-the-hashandrainbow table attacks.
Attackers have been actively exploiting CVE-2025-24054 since March 19, 2025, even though Microsoft released a patch on March 11, 2025. Active exploitation has been observed in campaigns targeting government entities and private institutions in Poland and Romania between March 20 and 21, 2025. The attack campaign used email phishing links to distribute a Dropbox link containing an archive file that exploits the vulnerability, which harvests NTLMv2-SSP hashes. The captured NTLMv2 response, can be leveraged by attackers to attempt brute-force attacks offline or to perform NTLM relay attacks, which fall under the category of man-in-the-middle attacks. NTLM relay attacks are much more dangerous when the stolen credentials belong to a privileged user, as the attacker is using it for privilege escalation and lateral movement on the network. Microsoft released a patch on March 11, 2025 addressing the vulnerability with users being advised to apply the patches.
Share:
References :
Classification:
|