Security researchers have observed new samples of the TrickBot Trojan – one of the most prominent malware delivery tools currently in use – that leverage the Windows 10 WSReset UAC Bypass to stealthily infect machines running Windows 10 with malware without displaying any prompts.
User Account Control (UAC) is a security feature in Windows designed to prevent unauthorized changes to the operating system initiated by applications, users, or malware. User Account Control makes sure certain changes are made only with approval from the administrator, otherwise changes are not executed.
According to MorphiSec’s analysis of the new TrickBot variant, the WSReset UAC Bypass process starts with the malware checking if the system is running Windows 7 or Windows 10. If it determines that the machine is running Windows 7, TrickBot will use the CMSTPLUA UAC bypass, and if the system is running Windows 10, Trickbot will leverage the WSReset UAC Bypass.
Discovered in March 2019, the WSReset UAC Bypass allows to take advantage of the WSReset.exe process, which is a Microsoft signed executable that is used to reset Windows Store settings. This binary has autoelevate privileges, thus allowing the WSReset UAC Bypass to be used for privilege escalation.
In order to use the WSReset UAC Bypass TrickBot decrypts the binary’s strings (such as registry path and the command to execute) and then adds the relevant keys using “reg.exe”. The final step involves the execution of WSReset.exe, allowing TrickBot to run with elevated privileges without triggering a UAC prompt. The malware does that using ‘ShellExecuteExW’ API. This final executable allows Trickbot to deliver its payload onto workstations and other endpoints.
