Researcher John Page, also known as hyp3rlinx, spoke about the discovery of the CVE-2019-9491 vulnerability affecting the Trend Micro Anti-Threat Toolkit (ATTK) and allowing arbitrary code execution.
It turns out that the software with which user wants to protect his machine can be used to run malware. Cannot believe it? Read on!Page found that ATTK can be tricked and taken out to execute any program or arbitrary malware during a scan. To do this, simply name the desired cmd.exe or regedit.exe file.
“Trend Micro Anti-Threat Toolkit (ATTK) will load and execute arbitrary .EXE files if a malware author happens to use the vulnerable naming convention of ‘cmd.exe’ or ‘regedit.exe. And the malware can be placed in the vicinity of the ATTK when a scan is launched by the end user.” – John Page (aka hyp3rlinx) explained on Saturday.
In fact, it is enough for an attacker to save a file named cmd.exe or regedit.exe on the victim’s computer (for example, it could be an attachment in an email) and it will be executed by ATTK.
Read also: Vulnerability in Kaspersky Anti-Virus allowed cybercriminals monitoring users
Since ATTK is signed by a trusted publisher, this will circumvent any MOTW security warnings.
Demonstration of exploitation of vulnerability:
In addition, if the malware was downloaded from the Internet, ATTK can become a mechanism for its constant presence in the system, since every time the Anti-Threat Toolkit starts, the malware will run.
Since the ATTK is signed by verified publisher and therefore assumed trusted any MOTW security warnings are bypassed if the malware was internet downloaded, also it can become a persistence mechanism as each time the Anti-Threat Toolkit is run so can an attackers malware”, — confirms John Page (aka hyp3rlinx).
Decision
Trend Micro developers have already fixed this vulnerability by releasing a patch late last week. Users are now advised to update ATTK to version 1.62.0.1223 as soon as possible.
Just in case, try not to save files called cmd.exe or regedit.exe on a Windows PC.