Trend Micro Anti-Threat Toolkit could be used to run malware on Win PCs

A vulnerability in the Trend Micro Anti-Threat Toolkit (ATTK) can be exploited by attackers to run malware on targets’ Windows systems.

The security expert and bug-hunter John “hyp3rlinx” Page discovered an arbitrary code execution vulnerability, tracked as CVE-2019-9491, in the Trend Micro Anti-Threat Toolkit.

Trend Micro ATTK allows analyzing malware issues and clean infections. It can be used to perform system forensic scans and clean various types of infections.

The vulnerability could be exploited by attackers to run malware on target Windows computers.

“Trend Micro Anti-Threat Toolkit (ATTK) will load and execute arbitrary .EXE files if a malware author happens to use the vulnerable naming convention of “cmd.exe” or “regedit.exe” and the malware can be placed in the vacinity of the ATTK when a scan is launched by the end user.” reads the advisory published by the expert. “Since the ATTK is signed by verified publisher and therefore assumed trusted any MOTW security warnings are bypassed if the malware was internet downloaded, also it can become a persistence mechanism as each time the Anti-Threat Toolkit is run so can an attackers malware. Standalone affected components of ATTK and other integrations (e.g. WCRY Patch Tool, OfficeScan Toolbox, etc.)”

The expert discovered that is possible to trick the Trend Micro Anti-Threat Toolkit into executing any malicious code when it is named “cmd.exe” or “regedit.exe.”

An attacker that is able to save a malicious file with the above filenames on the target’s PC running the ATTK could exploit the flaw.

Below a video proof of concept of the attack:

The expert also published a PoC exploit code in the advisory.

Below the vulnerability timeline:

• Vendor Notification: September 9, 2019
• Vendor confirms vulnerability: September 25, 2019
• Vendor requests to coordinate advisory: September 25, 2019
• Public Disclosure October 19, 2019
• September 25, 2019 October 19, 2019 Public Disclosure

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Anti-Threat Toolkit, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]