SafeBreach Labs security researcher Or Yair discovered several vulnerabilities that allowed him to turn endpoint detection and response (EDR) and antivirus (AV) products into wipers.
The identified issues, which were presented on Wednesday at the Black Hat Europe cybersecurity conference, allowed the researcher to trick the vulnerable security products into deleting arbitrary files and directories on the system and render the machine unusable.
Dubbed Aikido, the researcher’s wiper abuses the extended privileges that EDR and AV products have on the system, relying on decoy directories containing specially crafted paths to trigger the deletion of legitimate files.
“This wiper runs with the permissions of an unprivileged user yet has the ability to wipe almost any file on a system, including system files, and make a computer completely unbootable. It does all that without implementing code that touches the target files, making it fully undetectable,” the researcher explains.
The Aikido wiper exploits a window of opportunity between the detection of a malicious file and its actual deletion and abuses a feature in Windows that allows users to create junction point links – which are like symbolic links (symlinks) – regardless of their account’s privileges.
The new findings illustrate the threat actor’s continued abuse of Internet Explorer flaws such as CVE-2020-1380 and CVE-2021-26411 to drop backdoors like BLUELIGHT and Dolphin, the latter of which was disclosed by Slovak cybersecurity firm ESET late last month.
Another key tool in its arsenal is RokRat, a Windows-based remote access trojan that comes with a wide range of functions that allow it to capture screenshots, log keystrokes, and even harvest Bluetooth device information.