
Researchers have disclosed significant security weaknesses in popular software applications that could be abused to deactivate their protections and take control of allow-listed applications to perform operations on behalf of the malware to defeat anti-ransomware defenses.
The twin attacks,aimed at circumventing the protected folder feature offered by antivirus programs to encrypt files (aka “Cut-and-Mouse“) and disabling their real-time protection by simulating mouse “click” events (aka “Ghost Control“).
Antivirus software providers always offer high levels of security, and they are an essential element in the everyday struggle against criminals which has more power and dedication to invade
Shortcomings in malware mitigation software could not just permit unauthorized code to turn off their protection features, design flaws in Protected Folders solution provided by antivirus vendors could be abused by ransomware to change the contents of files using an that’s provisioned write access to the folder and encrypt user data, or a wipeware to irrevocably destroy personal files of victims.
Protected Folders allow users to specify folders that require an additional layer of protection against destructive software, thereby potentially blocking any unsafe access to the protected folders.
A small set of whitelisted applications is granted privileges to write to protected folders. whitelisted applications themselves are not protected from being misused by other applications. This trust is therefore unjustified, since a malware can perform operations on protected folders by using whitelisted applications as intermediaries.
An attack scenario devised by the researchers revealed that malicious code could be used to control a trusted application like Notepad to perform write operations and encrypt the victim’s files stored in the protected folders. To this end, the ransomware reads the files in the folders, encrypts them in memory, and copies them to the system clipboard, following which the ransomware launches Notepad to overwrite the folder contents with the clipboard data.
By leveraging Paint as a trusted application, the researchers found that the aforementioned attack sequence could be used to overwrite user’s files with a randomly generated image to destroy them permanently.
Ghost Control attack, could have serious consequences of its own, as turning off real-time malware protection by simulating legitimate user actions performed on the user interface of an antivirus solution could permit an adversary to drop and execute any rogue program from a remote server under their control.
Of the 29 antivirus solutions evaluated during the study, 14 of them were found vulnerable to the Ghost Control attack, while all 29 antivirus programs tested were found to be at risk from the Cut-and-Mouse attack.
Even as antivirus software providers continue to step up defenses, malware authors have sneaked past such barriers through evasion and obfuscation tactics, not to mention even bypassing their behavioral detection using adversarial inputs via poisoning attacks.