Intel Rapid Storage app bug lets malware evade AV
DLL hijacking vulnerability could let hackers bypass antivirus engines
SafeBreach labs has discovered a vulnerability in Intel Rapid Storage Technology (Intel RST) that could allow malicious programs to bypass antivirus software.
Researchers from the firm discovered that in older versions of the software, the IAStorDataMGRSvc.exe executable will try to load four DLLs (Dynamic-link libraries) from the Intel Rapid Storage Technology folder on a user's C drive.
However, these DLLs do not exist in the same folder as the program's executable which means that IAStorDataMGRSvc.exe will instead try and load these DLLs from other folders on a user's computer.
- Intel snaps up Israeli chipmaker Habana Labs for $2bn
- Windows malware turns PCs into zombies
- Security flaw in Bitdefender Antivirus Free 2020 leaves millions at risk
SafeBreach took advantage of this to create their own custom DLL that is loaded once IAStorDataMGRSvc.exe starts. Since this executable runs with system privileges, the researchers' DLL is loaded with the same privileges and thus has full access to the computer.
Intel Rapid Storage Technology flaw
The vulnerability SafeBreach discovered cannot be exploited by an attacker for privilege escalation since it requires administrative privileges to create a custom DLL in the first place.
However, the vulnerability could be used by an attacker to bypass antivirus scanning engines as the custom DLL will be loaded by the trusted Intel application.
SafeBreach researcher Peleg Hadar explained to BleepingComputer how an attacker could leverage this vulnerability, saying:
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
"An attacker can evade the antivirus by running within the context of Intel and perform malicious actions. Tested, and it works, very interesting and useful technique."
SafeBreach first reported the vulnerability to Intel back in July and the chipmaker has since released updated versions of its Intel Rapid Storage Technology software that patch the issue. It is recommended that users running older versions of Intel RST update their software to the latest version to prevent falling victim to any attacks that exploit this vulnerability.
- We've also highlighted the best antivirus software
Via BleepingComputer
After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.