The exploit associated with Windows Defender (0BEFB96279DA248F6D49169E047EE7AB) is a malicious script that tries to disable or bypass the security features of Windows Defender and download and execute various types of malware on the infected device. The script is part of a larger campaign that targets organizations with cryptominers, keyloggers, and backdoors¹.
The script, named runxm1.cmd, is usually delivered through exploiting vulnerabilities on servers and workstations¹. It attempts to manipulate the registry settings of Windows Defender to disable its protection and add several files to its exceptions list. These files are used at different stages of the attack and include:
- intelsvc.exe: A cryptominer that uses the device’s resources to mine Monero cryptocurrency (XMR)¹.
- View.exe: A keylogger that records the keystrokes of the user and sends them to a remote server¹.
- rtkaudio.exe: A backdoor that allows the attackers to execute arbitrary commands on the device¹.
- config.txt: A configuration file that contains the parameters for the cryptominer and the backdoor¹.
The script also tries to obtain administrator rights and rename folders of known security solutions to prevent them from running on the device¹. It then accesses a domain that hosts a platform that displays real-time cryptocurrency exchange rates and downloads the aforementioned files from there¹. Finally, it runs the cryptominer and the backdoor using the configuration file as an argument¹.
The exploit takes advantage of several mitigations that can be applied to either the operating system or individual apps through Windows Defender Exploit Guard. Exploit Guard is a feature that helps protect against malware that uses exploits to infect devices and spread². It consists of many mitigations that can be enabled or disabled separately by using various methods, such as the Windows Security app, Microsoft Intune, Microsoft Configuration Manager, Group Policy, or PowerShell².
Some of the mitigations that are relevant for this exploit are:
- Data Execution Prevention (DEP): A mitigation that prevents code from being executed from data-only memory pages, such as the stack or the heap⁵. The script tries to disable DEP through the registry¹.
- Address Space Layout Randomization (ASLR): A mitigation that randomizes the location of code and data in memory to make it harder for exploits to find and modify them⁵. The script tries to force some apps to relocate images in memory using ASLR⁴.
- Export Address Filtering (EAF) and Import Address Filtering (IAF): Mitigations that monitor attempts to access the Export Address Table (EAT) and Import Address Table (IAT) of modules loaded in a process. These tables contain information about exported and imported functions, which are often used by exploits to locate APIs⁵. The script tries to disable EAF and IAF for some apps through the registry⁴.
- ROP mitigations: A set of mitigations that detect and block common techniques used by Return-Oriented Programming (ROP) exploits, which bypass DEP by reusing existing code snippets in memory⁵. The script tries to disable several ROP mitigations for some apps through the registry⁴.
- Block remote images: A mitigation that prevents loading of images from remote devices. This can prevent an attacker from mapping malicious code into a process from a remote source⁵. The script tries to disable this mitigation for some apps through the registry⁴.
- Child process creation: A mitigation that prevents an app from creating child processes. This can prevent an attacker from launching a new process from within a compromised app⁵. The script tries to disable this mitigation for some apps through the registry⁴.
To protect against this exploit, it is recommended to enable these mitigations system-wide or for individual apps using Exploit Guard. It is also important to keep Windows Defender updated and scan the device regularly for any signs of infection. Additionally, it is advisable to avoid opening suspicious links or attachments, and use strong passwords and multi-factor authentication for online accounts.
(1) Organizations under attack from cryptominer-keylogger-backdoor combo …. https://securelist.com/miner-keylogger-backdoor-attack-b2b/110761/.
(2) Turn on exploit protection to help mitigate against attacks. https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/enable-exploit-protection?view=o365-worldwide.
(3) Customize exploit protection | Microsoft Learn. https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/customize-exploit-protection?view=o365-worldwide.
(4) Exploit protection reference | Microsoft Learn. https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/exploit-protection-reference?view=o365-worldwide.
(5) Windows Defender Exploit Guard: Reduce the attack surface against next …. https://www.microsoft.com/en-us/security/blog/2017/10/23/windows-defender-exploit-guard-reduce-the-attack-surface-against-next-generation-malware/.