[German]A nasty thing a security researcher has come across. Windows Update can be tricked into downloading and then running malware. Falls into the category LoLBins (living-off-the-land binaries).
Advertising
I had already reported a problem with LoLBins (living-off-the-land binaries) related to Windows Defender and a new built-in feature in the blog post Security concerns about Microsoft Defender download feature in early September 2020. Shortly after the report this feature was removed again.
What are LOLBINs?
LOLBIN (living-off-the-land binaries) are any binary file provided by the operating system that is normally used for legitimate purposes. However, LOLBINs can also be misused by malicious actors. Attackers can use LOLBINs to download and execute malware, while keeping these activities hidden. After all, operating system files are also used for this purpose.
LoLBins are used by various attackers in combination with fileless malware and legitimate cloud services to increase the chances of remaining undetected within an organization during the attack phases. The concept of LoLBins is not new and not specific to Windows. Almost all traditional operating systems, starting with early DOS versions and Unix systems, contained executable files that could be exploited by attackers. Talos has published a blog post on this topic.
Abusing Windows Update as LOLBIN
I got aware of the topic on Twitter this night via this tweet. A security researcher has taken Windows Update and checked if Windows Update can be misused as LOLBIN.
(Abusing Windows Update as LOLBIN)
Advertising
The WSUS / Windows Update Client (wuauclt) is a utility that can be found as an .exe file in the %windir%\system32\ folder. The utility gives users partial control over some features of the Windows Update Agent (and here) from the command line. MDSec researcher David Middlehurst has discovered that wuauclt can also be used by attackers to execute malicious code on Windows 10 systems. To do this, use the following command line option:
wuauclt.exe /UpdateDeploymentProvider [path_to_dll] /RunHandlerComServerThe [path_to_dll] is a DLL file that can be configured by the attacker. This DLL file is then executed under the permissions of the Windows Update client.
This attack technique is categorized by MITRE ATT&CK as Signed Binary Proxy Execution via Rundll32. The approach allows attackers to bypass antivirus or other protection mechanisms to protect against viruses, application control and validation of digital certificates. Unsigned code can also be executed via Rundll32. Middlehurst claims to have found an example in the wild (see here) that exploits this technique. More details can be found in Middlehurst's blog post and at Bleeping Computer. I assume that Microsoft will patch some wuauclt in the near future.
