Signed software abused to deploy antivirus-killing scripts
Summary
A digitally signed adware tool has been observed disabling antivirus protections on numerous endpoints across various critical sectors, including education, utilities, government, and healthcare. The malicious scripts ran with SYSTEM privileges, indicating a high level of access and control achieved by the attacker.
IFF Assessment
This is bad news for defenders as it demonstrates a sophisticated technique where legitimate-looking signed software is used to bypass security controls and deploy harmful payloads.
Defender Context
Defenders should be aware of the increasing trend of attackers abusing legitimate signed software to bypass security measures. Monitoring for unusual script execution, especially with elevated privileges, and maintaining up-to-date endpoint detection and response (EDR) solutions are crucial.