Home
Tech info
Technology
Science
Life
Application
Electric
Program
Mobile
Windows 10
Windows 11CertUtil.exe allows an attacker to download malicious code and bypass antivirus software
Windows has an integrated software called CertUtil for managing certificates in Windows. Using CertUtil you can install, backup, delete, manage, perform certification-related functions in Windows.
One of CertUtil's features is to download the certificate or any related file from the URL and save it on the computer using certutil.exe -urlcache -split -f [URL] output.file .
In 2017, security researcher Casey Smith warned of using this method to download malicious code. In 2016 it was taken advantage of and last March there was a Trojan that used it to download a series of files and scripts to the computer.
The attacker still uses CertUtil because some computers are still locked, not allowing strange software to download files. Using Windows built-in software will help to be whitelisted and allowed to download files.
CertUtil.exe allows an attacker to download malicious code and bypass antivirus software Picture 1
CertUtil is used on a recent trojan
Use CertUtil + Base64 to bypass antivirus software
Security consultant Xaview Mertens recently released a new way to use CertUtil, whereby base64 will first encrypt the malicious file to be identified as harmless, then decrypt it after being downloaded by CertUtil.exe.
Command to download files with CertUtil:
certutil.exe -urlcache -split -f [URL] output.file
MalwareHunterTeam indicates that certutil.exe -decode has been used in practice. F5 Labs also details a campaign using CertUtil.exe to install a virtual money digging tool. Fabio Assolini from Kaspersky also warned that this method was used in Brazil.
Every day there are always new tricks to exploit the programs that are legal, secure on Windows. If you do not use CertUtil to access the certificate or remote server, you should lock the network connectivity of this tool.
See more:
- Warning of new malware appear like Wannacry, capable of deleting Vietnamese percussion on computer
- What to do when the computer is infected with a virus that fights virtual money?
- Plugins on well-known editing tools can give hackers priority
Micah SotoYou should read it
- Malicious ads dig virtual money right on the browser
- Warning: new code of virtual money digging is available via Facebook Messenger
- What to do when the computer is infected with a virus that fights virtual money?
- VNCERT issued an emergency alert warning malicious code exploiting Coinhive virtual money
- Warning: a new variant of the virus that fills virtual money via Facebook Messenger will appear every 10 minutes
- Warning: A new code of virtual money training is spreading strongly in Vietnam
- After WannaCry, Petya's 'extortion' malicious code is raging, this is a remedy to prevent
- Warning: New variants of malicious code digging on Facebook threaten users in Vietnam
- Discover a new kind of malicious code that can record the phone call to extort money
- The malware owner earned $ 63,000 from digging Monero on the IIS server
- Fileless malware - Achilles heel of traditional antivirus software
- Smartphone can also be exploited by hackers to dig virtual money illegally
Maybe you are interested
Attack the network
Warning: GandCrab extortionist code is attacking Vietnam- Appearing dangerous Android malicious code specializing in stealing chat content on Facebook Messenger, Skype ...
- Warning: Detecting more than 1000 Cisco router and switch devices in Vietnam has a serious security error
- A series of cult videos, billions of views on YouTube were hacked, renamed and deleted
- Ransomware appears to require users to play PUBG for 1 hour instead of ransom
- Warning of donkey by accepting money on Facebook
Warning: GandCrab extortionist code is attacking Vietnam
Appearing dangerous Android malicious code specializing in stealing chat content on Facebook Messenger, Skype ...
Warning: Detecting more than 1000 Cisco router and switch devices in Vietnam has a serious security error
A series of cult videos, billions of views on YouTube were hacked, renamed and deleted
Ransomware appears to require users to play PUBG for 1 hour instead of ransom
Warning of donkey by accepting money on Facebook