Trend Micro Anti-Threat Toolkit will launch any malware if the file with it is called cmd.exe or regedit.exe

Trend Micro Anti-Threat Toolkit
Written by Brendan Smith

Researcher John Page, also known as hyp3rlinx, spoke about the discovery of the CVE-2019-9491 vulnerability affecting the Trend Micro Anti-Threat Toolkit (ATTK) and allowing arbitrary code execution.

It turns out that the software with which user wants to protect his machine can be used to run malware. Cannot believe it? Read on!

Page found that ATTK can be tricked and taken out to execute any program or arbitrary malware during a scan. To do this, simply name the desired cmd.exe or regedit.exe file.

“Trend Micro Anti-Threat Toolkit (ATTK) will load and execute arbitrary .EXE files if a malware author happens to use the vulnerable naming convention of ‘cmd.exe’ or ‘regedit.exe. And the malware can be placed in the vicinity of the ATTK when a scan is launched by the end user.” – John Page (aka hyp3rlinx) explained on Saturday.

In fact, it is enough for an attacker to save a file named cmd.exe or regedit.exe on the victim’s computer (for example, it could be an attachment in an email) and it will be executed by ATTK.

Read also: Vulnerability in Kaspersky Anti-Virus allowed cybercriminals monitoring users

Since ATTK is signed by a trusted publisher, this will circumvent any MOTW security warnings.

Demonstration of exploitation of vulnerability:

In addition, if the malware was downloaded from the Internet, ATTK can become a mechanism for its constant presence in the system, since every time the Anti-Threat Toolkit starts, the malware will run.

Since the ATTK is signed by verified publisher and therefore assumed trusted any MOTW security warnings are bypassed if the malware was internet downloaded, also it can become a persistence mechanism as each time the Anti-Threat Toolkit is run so can an attackers malware”, — confirms John Page (aka hyp3rlinx).


Trend Micro developers have already fixed this vulnerability by releasing a patch late last week. Users are now advised to update ATTK to version as soon as possible.

Just in case, try not to save files called cmd.exe or regedit.exe on a Windows PC.

User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

About the author

Brendan Smith

I'm Brendan Smith, a passionate journalist, researcher, and web content developer. With a keen interest in computer technology and security, I specialize in delivering high-quality content that educates and empowers readers in navigating the digital landscape.

With a focus on computer technology and security, I am committed to sharing my knowledge and insights to help individuals and organizations protect themselves in the digital age. My expertise in cybersecurity principles, data privacy, and best practices allows me to provide practical tips and advice that readers can implement to enhance their online security.

Leave a Reply