Intel Rapid Storage app bug lets malware evade AV
DLL hijacking vulnerability could let hackers bypass antivirus engines
When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.
SafeBreachlabs has discovered a vulnerability inIntelRapid Storage Technology (Intel RST) that could allow malicious programs to bypassantivirussoftware.
Researchers from the firm discovered that in older versions of the software, the IAStorDataMGRSvc.exe executable will try to load four DLLs (Dynamic-link libraries) from the Intel Rapid Storage Technology folder on a user’s C drive.
However, these DLLs do not exist in the same folder as the program’s executable which means that IAStorDataMGRSvc.exe will instead try and load these DLLs from other folders on a user’s computer.
SafeBreach took advantage of this to create their own custom DLL that is loaded once IAStorDataMGRSvc.exe starts. Since this executable runs with system privileges, the researchers' DLL is loaded with the same privileges and thus has full access to the computer.
Intel Rapid Storage Technology flaw
The vulnerability SafeBreach discovered cannot be exploited by an attacker forprivilege escalationsince it requires administrative privileges to create a custom DLL in the first place.
However, the vulnerability could be used by an attacker to bypass antivirus scanning engines as the custom DLL will be loaded by the trusted Intel application.
SafeBreach researcher Peleg Hadar explained toBleepingComputerhow an attacker could leverage this vulnerability, saying:
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
“An attacker can evade the antivirus by running within the context of Intel and perform malicious actions. Tested, and it works, very interesting and useful technique.”
SafeBreach first reported the vulnerability to Intel back in July and the chipmaker has since releasedupdated versionsof its Intel Rapid Storage Technology software that patch the issue. It is recommended that users running older versions of Intel RST update their software to the latest version to prevent falling victim to any attacks that exploit this vulnerability.
ViaBleepingComputer
After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.
A new form of macOS malware is being used by devious North Korean hackers
Scammers are using fake copyright infringement claims to hack businesses
Belkin’s Travel Bag for Vision Pro has pockets and is way cheaper than Apple’s own case
