TrickBot evades Windows 10 detection, bypassing User Account Control (UAC) to deliver malware. Lately, the trojan became one of the most advanced vehicles for malware delivery. Thus, it can deliver malware across multiple workstations and endpoints on a network.
UAC is a Windows security feature designed to prevent changes to an operating system by unauthorized users, application or malware. But researchers at Morphisec Labs said that the TrickBot malware is particularly dangerous. That’s because it’s constantly evolving with new functionality to make it even harder to detect its delivery of malware.
“On almost a daily basis, malicious actors reinvent TrickBot and work to find new pathways to deliver the trojan onto user machines,” Morphisec security researcher Arnold Osipov said. “This is what makes TrickBot among the most advanced malware delivery vehicles; the constant evolution of methodologies used for delivery.”
How it works?
According to the report, the WSReset UAC Bypass first checks a system to see if it’s running Windows 7 or Windows 10, Osipov mentioned. In fact, the latter is a condition for the malware to use the WSReset UAC Bypass.
Thus, TrickBot authors take advantage of the WSReset.exe process. This is a Microsoft-signed executable used to reset Windows Store settings, according to its manifest file. And, according to the same researcher, key to the success of TrickBot’s new functionality is that the ‘autoElevate’ property in the process is set to “true” . “This is what allows the WSReset UAC Bypass to be used for privilege escalation,” Osipov wrote.
Then, TrickBot decrypts its strings in order to use the WSReset UAC Bypass, such as the registry path and the command to execute. Next, the trojan uses “reg.exe” in order to add the relevant keys that allow it to utilize the WSReset UAC Bypass. Finally, it executes WSReset.exe, “which will cause TrickBot to run with elevated privileges without a UAC prompt,” Osipov explained.
“TrickBot does that using ‘ShellExecuteExW’ API. This final executable allows TrickBot to deliver its payload onto workstations and other endpoints,” he wrote.
Evolution of TrickBot
TrickBot appeared in 2016 as a banking malware. But since then, it has developed into an all-purpose, module-based crimeware. This solution specifically targets corporations. Since it’s been active, its creators managed to permanently find new, inventive and elusive ways to deliver malicious payloads.
In 2019 alone, various versions of TrickBot, including a feature that goes after remote desktop credentials and an update to its password grabber appeared.
Also, last year, researchers found evidence that the crimeware organization behind TrickBot forged an unprecedented union with North Korean APT group Lazarus. So, this was obvious through an all-in-one attack framework developed by TrickBot called Anchor Project.
So, researchers consider we should be ready for a very difficult 2020, when it comes to TrickBot. Until now, a team from SentinelLabs discovered that bad boys added a hidden backdoor dubbed “PowerTrick” already had been added to TrickBot.
TrickBot evades Windows 10 detection after cybersecurity experts discovered a new version of the Snatch ransomware which reboots infected Windows computers into Safe Mode.