A new malware dubbed "Illusion Gap" exploits a design choice in how Windows Defender scans files stored on an Shared Folders (SMB) Server before execution.
In many offices, this is your local area network (LAN) drive, a dated term. The modern term is called Network-attached storage (NAS).
For Illusion Gap to work, the attacker must convince a user to execute a file hosted on a malicious SMB server under his control. This is not as complex as it sounds, as a simple shortcut file is all that's needed.
How Illusion Gap works
The problems occur after the user double-clicks this malicious file. By default, Windows will request from the SMB server a copy of the file for the task of creating the process that executes the file, while Windows Defender will request a copy of the file in order to scan it.
SMB servers can distinguish between these two requests, and this is a problem because an attacker can configure their malicious SMB server to respond with two different files.
The attacker can send a malicious file to the Windows PE Loader, and a benign file to Windows Defender. After Windows Defender scans the clean file and gives the go-ahead, Windows PE Loader will execute the malicious file without Windows Defender realizing they're two different things.
From https://www.cyberark.com/threat-research-blog/illusion-gap-antivirus-bypass-part-1/
In many offices, this is your local area network (LAN) drive, a dated term. The modern term is called Network-attached storage (NAS).
For Illusion Gap to work, the attacker must convince a user to execute a file hosted on a malicious SMB server under his control. This is not as complex as it sounds, as a simple shortcut file is all that's needed.
How Illusion Gap works
The problems occur after the user double-clicks this malicious file. By default, Windows will request from the SMB server a copy of the file for the task of creating the process that executes the file, while Windows Defender will request a copy of the file in order to scan it.
SMB servers can distinguish between these two requests, and this is a problem because an attacker can configure their malicious SMB server to respond with two different files.
The attacker can send a malicious file to the Windows PE Loader, and a benign file to Windows Defender. After Windows Defender scans the clean file and gives the go-ahead, Windows PE Loader will execute the malicious file without Windows Defender realizing they're two different things.
From https://www.cyberark.com/threat-research-blog/illusion-gap-antivirus-bypass-part-1/