Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Malware Leverages Windows “God Mode” for Persistency

Researchers from Intel Security recently discovered that a piece of malware dubbed “Dynamer” is taking advantage of a Windows Easter Egg called “God Mode” to gain persistency on an infected machine.

Researchers from Intel Security recently discovered that a piece of malware dubbed “Dynamer” is taking advantage of a Windows Easter Egg called “God Mode” to gain persistency on an infected machine.

The so called God Mode allows users to create a folder and give it a special name, which turns it into a shortcut to Windows settings and folders such as control panels, My Computer, or printers. The feature was introduced by Microsoft in Windows Vista and can prove a handy tool for administrators and savvy users alike.

However, the Dynamer malware shows that cybercriminals are now abusing the function, mainly because files placed in the master control panel shortcuts in this special folder are not easily accessible via Windows Explorer. McAfee’s Craig Schmugar explains in a blog post that this happens because these folders do not open like other folders, but rather redirect the user.

The malware installs itself into a folder inside of the  %AppData% directory creates a registry run key that persists across reboots. With the help of this key, the malware can execute normally, yet the folder in which the malware was installed cannot be opened directly through Windows Explorer, as it redirects to the RemoteApp and Desktop Connections control panel item.

The folder is named “com4.{241D7C96-F8BF-4F85-B01F-E2B043341A4B},” which is yet another bad thing, Schmugar explains. Because of the “com4” name, Windows considers the folder as being a device, meaning that the user cannot easily delete it.

In fact, the researcher explains, such device names are forbidden by normal Windows Explorer and cmd.exe commands. Given that Windows Windows treats the folder “com4” folder differently, Windows Explorer or typical console commands are useless when attempting to delete it.

However, McAfee researchers say that users can still get rid of this malware, provided that it managed to infiltrate their systems and infect computers. For that, users should terminate Dynamer’s process via Task Manager or other standard tools. Next, they should run a specially crafted command from the command prompt (cmd.exe):

> rd “.%appdata%com4.{241D7C96-F8BF-4F85-B01F-E2B043341A4B}” /S /Q

Advertisement. Scroll to continue reading.

Dynamer emerged on the threat landscape several years ago, but most security programs out there should be able to detect it, including Windows Defender for Windows 10 and Windows 8.1, or Microsoft Security Essentials for Windows 7 and Windows Vista, Microsoft says. However, the Trojan is considered a severe threat to users.

Dynamer proves that as the threat landscape evolves, new malware variants are attempting to leverage various operating system functions to perform malicious operations. Recently, attackers were observed abusing PowerShell and Google Docs to deliver the Laziok Trojan, while the PowerWare ransomware was seen earlier this year abusing PowerShell and Office macros to infect computers.

With the release of Enhanced Mitigation Experience Toolkit (EMET) 5.2 last March, Microsoft attempted to mitigate the VBScript God Mode exploitation technique. At the time, the configuration for the ASR mitigation in EMET was improved to stop attempts to run the VBScript extension when loaded in the Internet Explorer’s Internet Zone.

Related: PowerSniff Malware Attacks Abuse Macros, PowerShell

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.