Intel Rapid Storage app bug lets malware evade AV – TechRadar

SafeBreach labs has discovered a vulnerability in Intel Rapid Storage Technology (Intel RST) that could allow malicious programs to bypass antivirus software.

Researchers from the firm discovered that in older versions of the software, the IAStorDataMGRSvc.exe executable will try to load four DLLs (Dynamic-link libraries) from the Intel Rapid Storage Technology folder on a user’s C drive.

However, these DLLs do not exist in the same folder as the program’s executable which means that ¬†IAStorDataMGRSvc.exe will instead try and load these DLLs from other folders on a user’s computer.

SafeBreach took advantage of this to create their own custom DLL that is loaded once IAStorDataMGRSvc.exe starts. Since this executable runs with system privileges, the researchers’ DLL is loaded with the same privileges and thus has full access to the computer.

Intel Rapid Storage Technology flaw

The vulnerability SafeBreach discovered cannot be exploited by an attacker for privilege escalation since it requires administrative privileges to create a custom DLL in the first place.

However, the vulnerability could be used by an attacker to bypass antivirus scanning engines as the custom DLL will be loaded by the trusted Intel application.

SafeBreach researcher Peleg Hadar explained to BleepingComputer how an attacker could leverage this vulnerability, saying:

“An attacker can evade the antivirus by running within the context of Intel and perform malicious actions. Tested, and it works, very interesting and useful technique.”

SafeBreach first reported the vulnerability to Intel back in July and the chipmaker has since released updated versions of its Intel Rapid Storage Technology software that patch the issue. It is recommended that users running older versions of Intel RST update their software to the latest version to prevent falling victim to any attacks that exploit this vulnerability.

Via BleepingComputer