A Norwegian Windows security expert Oddvar Moe has reportedly discovered a new malware persistence method that can allow a malware to run on an infected system even after a reboot. Moe’s new method cleverly abuses the Windows Registry to trick Windows into running a malware’s process after the infected system has been rebooted.
The new method currently only works on Windows 10 and only on apps like Cortana and the People app, that have been developed for the Universal Windows Platform (UWP), ZDNet reported.
Commenting on using the new method on non-UWP apps, Moe told ZDNet, "If an attacker targets other apps, the user needs to run that app manually for it to run the planted binary.”
Moe explained that immediately after the malware has infected the targeted system, it can add a Windows registry key that makes changes to the UWP app’s reboot settings. This ensures that the next time the system reboots, the new registry key sets the UWP app in debug mode, which in turn can run another app, like a debugger. However, an attacker can replace this debugger with any other process, including a malware.
Moe reportedly contacted Microsoft about the issue but since his discovered method relies on malware already having infected a system, it was not deemed a security issue.
Moe reportedly said that some antivirus programs may be able to detect this new malware persistence method. "It depends on the payload. If the payload is something that is not detected by AV it is not likely that it will trigger," Moe told ZDNet.