Attackers exploit MS Windows 'God Mode' for evil ends

It appears that the developer mode of MS Windows, otherwise known as 'God Mode', is being leveraged by attackers to hide malware.

Windows 'God Mode' is being used to hide malware
Windows 'God Mode' is being used to hide malware

Hackers are exploiting the ‘God Mode' admin feature in Microsoft Windows to hide their malware, according to McAfee Labs/Intel Security.

The God Mode – or Windows Master Control Panel shortcut - is an undocumented feature built into all versions of Windows since Vista. It allows users to set up a special folder that gives them quick access to all Windows control panels and settings, like My Computer or their printers folder.

But says McAfee research architect Craig Schmugar in a 26 April blog: “Attackers are now using this undocumented feature for evil ends.”

McAfee has found an instance of the Dynamer Trojan hidden inside a shortcut folder. The malware is  crafted to survive reboots, and when the unsuspecting user checks the folder where the malware is hidden, they are shown a window that contains no files.

“To make matters worse,” Schmugar says, “the malware author has attempted to give this directory eternal life, by pre-pending the name ‘com4'. Such device names are forbidden by normal Windows Explorer and cmd.exe commands and Windows treats the folder as a device - thus preventing users from otherwise easily deleting the folder with Explorer or typical console commands.”

McAfee gives no further detail of the author of the malware, or any exploitation in the wild. But it suggests a solution to users: they should terminate the malware via Task Manager or similar then run this command from the command prompt (cmd.exe):

> rd “\\.\%appdata%\com4.{241D7C96-F8BF-4F85-B01F-E2B043341A4B}” /S /Q

Separately, McAfee has also found new ‘macro' malware that uses advanced obfuscation and several layers of evasion to escape detection.

Macro malware – widespread in the 1990s - typically drops malicious MS Office files via macros containing Visual Basic scripts. And in a 26 April blog, McAfee Labs' Devendra Singh says the latest variant found in the wild uses virtual machine awareness to escape analysis by security researchers, and sandbox awareness to avoid honeypot traps.

McAfee is linking the malware to an unnamed known “threat group” which previously distributed the Donoff Trojan.

Singh said: “These actors have compromised a legitimate website to deploy their payload. During our analysis, this hard-coded link served a file which indicated that the attackers were still preparing the environment and had not yet uploaded a malicious payload. Intel Security has contacted the site owner.”

Analysing the God Mode exploit, Sarb Sembhi, CTO of the Noord Group and a leading member of the ISACA security professionals organisation, said it presents a real risk to end-users.

He told SC via email: “This technique is dangerous as it is something that is typically beyond the realms of ordinary users to detect or delete easily. Using this legitimate built-in technique, a malicious person can create a payload that is persistent on the end-user's machine.”

Sembhi added: “This is just one of the ways that we know of hackers using legitimate Windows admin functions to remain hidden and persistent. I'm sure we will see others in time to come, and that is likely to be a bigger can of worms to worry about. It goes to show that AV is not quite dead yet, and updating your AV is as important as it has ever been, especially where you would otherwise have to take technical action as a non-technical end-user.”

Aatish Pattni, head of threat prevention for Northern Europe at Check Point, highlighted the God Mode threat as another example of backdoor access into devices.

He told SC via email: “Modern malware is designed specifically to evade detection and gain quick access to networks. Rather than writing complex exploit techniques, threat actors often utilise system weaknesses such as backdoors for easy access. Developers are currently debating the request from nation-states for even more backdoor access so we can expect that threat actors are also taking a keen interest - thus a significant increase in the use of this type of malware is to be expected.”

Pattni advised a three-pronged approach: “Developers need to invest in security controls around backdoor access; businesses need to have full visibility of the backdoor accesses in their networks; and security protections need to look beyond the OS to catch evasion techniques at a CPU-level.”