Academic researchers at the University of Luxembourg and the University of London have discovered critical security flaws in popular security software programs. The detected flaws, according to the published research, may be exploited to disable the antivirus protection layers and take control of allow-listed apps in order to undertake malicious actions on behalf of the virus and circumvent anti-ransomware protection.
As per the details, revealed by the researchers, if the detected security weakness is exploited, it allows a malicious actor to access folders protected by the antivirus program and encrypt their data by disabling their real-time protection through a simulated mouse “click” (Ghost Control).
To put it another way, flaws in malware mitigation software could not only allow unauthorized code to disable their protection features but also, create flaws in antivirus vendors’ Protected Folders solutions and allow threats like ransomware to change the content of these folders by abusing apps with write access.
Protected Folders is a useful feature that many antivirus programs include. It enables users to define folders that need an extra degree of security against harmful applications, possibly barring any unauthorized access to them.
In their report, the researchers have demonstrated how malicious code might be used to manipulate a trusted program like Notepad in order to execute write operations and encrypt the victim’s data stored in protected folders. To do this, a ransomware infection scans the contents of the folders, encrypts them in memory, and copies them to the system clipboard, after which it runs Notepad and overwrites the contents of the protected folders with the clipboard data.
In another demonstration, the researchers have discovered that by utilizing Paint as a trusted program, the aforementioned attack sequence could be leveraged to permanently replace user files with randomly generated pictures.
The research points out to the fact that Ghost Control attacks like these might have major ramifications, since imitating normal user activities on an antivirus solution’s user interface might allow a threat actor to drop and execute any malicious application from a remote server under their control.