Zero-day flaw in .NET Core lets hackers break any antivirus & evade detection

Specialists from a cyber security consulting company reported the finding of a vulnerability in the .NET Core library that would allow threat actors to initiate malware while evading security tools on the affected system. Apparently, the vulnerability exists due to a Microsoft bug that allows users with lower privileges to load malicious DLLs.

According to the report, hackers interested in exploiting this vulnerability would first require access to any level on the target system, so the attack requires an existing exploit. Attackers might be very interested in this flaw because it would prevent their malicious payloads for other attacks from being detected by antivirus and more sophisticated security tools.

To exploit the vulnerability, a threat actor must create a malicious junk file collector to run on the vulnerable device and subsequently set an environment variable for .NET Core to use the custom DLL, mentioned by specialists from a cyber security consulting company.

Esta imagen tiene un atributo ALT vacío; su nombre de archivo es netcore01.jpg
SOURCE: BleepingComputer

When loaded, the malicious code will be executed by the legitimate .NET Core process, dotnet.exe, under the impression that the DLL is simply a custom garbage collector.

Esta imagen tiene un atributo ALT vacío; su nombre de archivo es netcore02.jpg
SOURCE: BleepingComputer

When the .NET Core Framework loads the custom garbage collector DLL, the load starts running, leading to a reverse TCP shell.

Esta imagen tiene un atributo ALT vacío; su nombre de archivo es netcore03.jpg
SOURCE: BleepingComputer

In an attack scenario, malicious hackers with access to affected systems could use a script for .NET Core to run a malicious DLL without security tools being able to detect unusual activity.

Using a sophisticated technique, specialists from a cyber security consulting company injected code into a legitimate process, demonstrating the possibility of exploitation. Because the execution of the malicious code is carried out under a legitimate process, exploitation is useful for hackers seeking to evade controls on an affected system.

This attack variant was reported to Microsoft, although in response to the report, the company considered this not a vulnerability: “We do not consider this to be a security vulnerability; its exploitation requires attackers to modify the security of the environment, which means that other security checks must be compromised in advance,” the Microsoft Security Response Center (MSRT) report says.

For further reports on vulnerabilities, exploits, malware variants and computer security risks, it is recommended to enter the website of the International Institute of Cyber Security (IICS), as well as the official platforms of technology companies.