FlagThis - #windowssecurity

A new cybersecurity threat has emerged, putting Windows users at risk. A tool called 'Defendnot' can disable Microsoft Defender, the built-in antivirus software in Windows 10 and 11. This is achieved by registering a fake antivirus product through an exploited vulnerability in the Windows Security Center (WSC) API. This exploit tricks Windows into thinking another antivirus solution is managing real-time protection, causing it to automatically disable Microsoft Defender to avoid conflicts. Even if no real antivirus software is installed, Defendnot can still successfully deactivate the system's primary defense, leaving the computer vulnerable to malicious attacks.

The Defendnot tool, created by a security researcher known as es3n1n, takes advantage of an undocumented WSC API intended for antivirus software manufacturers. This API allows legitimate antivirus programs to inform Windows that they are installed and handling real-time protection. Defendnot abuses this functionality by simulating a valid antivirus product, passing all of Windows' verification checks. This exploitation raises concerns about the security of the WSC API and the potential for other malicious actors to utilize similar techniques to bypass Windows' built-in security measures.

This isn't the first attempt to exploit this vulnerability. An earlier tool, named "no-defender," was previously released but faced a DMCA takedown request after gaining significant attention. The developer was accused of using code from a third-party antivirus product to spoof registration with the WSC. Defendnot is a replacement for that tool, and it also features a loader enabling customized antivirus names, registration deactivation, and verbose logging, as well as allows automated execution via the Windows Task Scheduler for persistence. Microsoft is aware of the problem and has begun flagging the tool as potentially malicious software, being tracked and quarantined as 'Win32/Sabsik.FL.!ml'.


References :

• The DefendOps Diaries: Explore how the Defendnot tool exploits Windows vulnerabilities to disable Microsoft Defender, highlighting cybersecurity challenges.
• BleepingComputer: New 'Defendnot' tool tricks Windows into disabling Microsoft Defender
• www.csoonline.com: Windows Defender can be tricked into disabling itself by faking the presence of another antivirus solution–a behavior that threat actors can abuse to run malicious code without detection.
• www.scworld.com: Microsoft Defender deactivated by new tool
• borncity.com: Windows 10/11: Defender can be deactivated with a simple tool (Defendnot)
• www.techradar.com: Hackers can turn off Windows Defender with this sneaky new tool
• phishingtackle.com: Defendnot’s Bypass of Windows Defender Protections
• : Defendnot is a sophisticated new utility that tricks Windows into disabling Microsoft Defender by posing as a genuine antivirus.
• Make Tech Easier: How to Prevent Apps From Disabling Microsoft Defender in Windows

Classification:

• HashTags: #MicrosoftDefender #Defendnot #WindowsSecurity
• Company: Microsoft
• Target: Windows users
• Product: Windows Defender
• Feature: API spoofing
• Malware: Defendnot
• Type: Hack
• Severity: Medium

Cybersecurity researchers have recently uncovered a sophisticated malware campaign targeting Windows systems through the exploitation of AutoIT scripts. AutoIT, a scripting language initially designed for Windows automation, has become a popular tool in the malware ecosystem due to its simplicity and ability to interact with various Windows components. This particular campaign stands out for its use of a double layer of AutoIT code and intricate obfuscation techniques, allowing it to evade detection and maintain persistence on infected machines.

The attack begins with a compiled AutoIT executable file named "1. Project & Profit.exe" (SHA256: b5fbae9376db12a3fcbc99e83ccad97c87fb9e23370152d1452768a3676f5aeb). Upon execution, this file downloads an AutoIT interpreter, saving it as "C:\Users\Public\Guard.exe," along with another AutoIT script, stored as "Secure.au3," and a PowerShell script named "PublicProfile.ps1." The "PublicProfile.ps1" script is immediately generated and executed, facilitating further stages of the infection. Persistence is achieved by creating a .url shortcut in the Windows Startup directory, ensuring that a JavaScript file is triggered upon each user login. This JavaScript file then re-executes the AutoIT interpreter with a second-stage script, keeping the malicious processes active.

The second layer of AutoIT code, referred to as script "G," employs heavy obfuscation to hinder analysis. All strings within this script are encoded using a custom function called "Wales," which transforms ASCII values into a readable format only after decoding. An example of this obfuscation is the encoded sequence "80]114]111]99]101]115]115]69]120]105]115]116]115]40]39]97]118]97]115]116]117]105]46]101]120]101]39]41," which, when decoded, reveals "ProcessExists('avastui.exe')." This suggests the malware checks for antivirus processes to potentially avoid detection or alter its behavior. The attack culminates in the execution of a malicious DLL named "Urshqbgpm.dll" by injecting it into a "jsc.exe" process.


References :

• cyberpress.org: Hackers Use AutoIT Scripts to Spread Malware on Windows Systems
• isc.sans.edu: RAT Dropped By Two Layers of AutoIT Code, (Mon, May 19th)
• gbhackers.com: Hackers Exploit AutoIT Scripts to Deploy Malware Targeting Windows Systems

Classification:

• HashTags: #Malware #AutoIT #WindowsSecurity
• Company: Microsoft
• Target: Windows Systems
• Attacker: LARVA-306
• Product: Windows
• Feature: Persistence Techniques
• Malware: RAT
• Type: Malware
• Severity: Major