CFA isn’t able to detect the modification of a large amount of files in a short period of time and prevent it.
Microsoft Office documents may contain built-in macros which attackers can use to deliver malware to encrypts files. One of WMI capabilities is to remove files using the CIM_DataFile object so, basic ransomware would be able to read the user’s files, encrypt them to a non-protected folder and then, using WMI, remove the original files. As Windows Defender doesn’t detect this injection technique, the malicious DLL injected to Explorer can basically do anything to a user’s protected files since it runs under a trusted process. They Nyotron Security Research Team was able to bypass CFA by injecting malicious code into explorer.exe using APC Injection. The Nyotron Security Research Team has discovered at least three ways to do this: APC Injection, Windows Management Instrumentation (WMI) and Office Macros. CFA is disabled by default, and can be enabled under the Windows Defender Security Center panel.Īlthough Windows 10’s CFA anti-ransomware feature is a good step in the right direction, even a slightly sophisticated attack will easily bypass it.
0 kommentar(er)
