To understand the shell command, let’s divide it into four sections. It is also a very convenient feature that allows users to perform non-administrator and administrator tasks without switching users. UAC is a security feature that prevents an application from executing with higher privileges without the user’s permission. ![]() In terms of malware, this means more data that can be stolen and more changes that can be done to the system. Bypassing that setting has everything to do with the executed Windows native application, eventvwr.exe.įig.4 Macro executes Event Viewer and Fareit (sick.exe) UAC Bypass and Privilege EscalationĪn application running with high privilege in the system means access to more resources that would otherwise be inaccessible if running with lower privilege. In a default UAC setting, it should not be possible to do this without the UAC permission prompt popping up. However, what’s interesting with this attack is that it executes the Fareit malware (sick.exe) with “High” privilege. It’s common behavior for a malicious document macro to download and execute malware. JZ e 4 x R e J R / R c JY 6A p 64 o A6 w Y e A J r ZZ s YJ h AA e 4 l R l …īelow is the full shell command executed by the macro: The macro uses simple obfuscation by inserting garbage characters into real strings.įig.3 Function to remove the garbage charactersĪR c A m 4Y d AJ. In doing so, the malicious macro executes in the background.įig.2 Malicious document instructs user to allow macro As part of its social engineering, strategy it is presented in the context of someone being interested in a product.Īs usual, when the document is opened the targeted victim is instructed to enable Microsoft Word’s macro execution. ![]() ![]() This malicious document is distributed by a SPAM email. Recently, Fortinet spotted a malicious document macro designed to bypass Microsoft Windows’ UAC security and execute Fareit, an information stealing malware, with high system privilege. To survive, Macro downloaders have to constantly develop new techniques for evading sandbox environments and anti-virus applications.
0 Comments
Leave a Reply. |