Micro Fixes Vulnerability in an Anti-Threat Toolkit
Trend Micro recently patched its Anti-Threat Toolkit (ATTK) for a high-grade remote software execution vulnerability.
The Trend Micro ATTK tool lets users scan their system and perform clean rootkit, ransomware, MBR and other malware diseases.
Researcher John Page, also known as hyp3rlinx, pointed out that attackers could exploit ATTK by planting malicious files called cmd. EXe or Regedit. EXe in the same folder as the tool to execute arbitrary code on a targeted device. If a search is performed, the program will run the malicious files.
“Because ATTK has been signed by a checked editor so any trusted alert on protection from MOTW is circumvented if the malware is installed on the internet, it can also become a persistance mechanism since an intruder malware could run the Anti-Threat toolkit every time,” Page said in an advisory.
A video showing how the attack works was published by the researcher: Trend Micro, tracked under CVE-2019-9491 on September 9th and an October 18 patch was released with version 220.127.116.113. The bug would impact versions 18.104.22.1688 and below on Windows.
Additional tools like WCRY Patch Tool and OfficeScan Toolbox also incorporate ATTK, and updates have been given to deal with the problem.
“The use of such vulnerabilities usually requires an intruder (physical or remote) to have access to a compromised device. In addition, customers are also recommended to update remote access to critical facilities, and to ensure that policies and perimeter security are up-to-date, “Trend Micro said in its advisory. “Trend Micro urges customers to upgrade to their new buildings as soon as possible, though an exploit can allow some different requirements to be fulfilled.”