TrickBot switched to a new Windows 10 UAC bypass to evade detection

TrickBot switched to a new Windows 10 UAC bypass to evade detection

Security researchers have observed new samples of the TrickBot Trojan – one of the most prominent malware delivery tools currently in use – that leverage the Windows 10 WSReset UAC Bypass to stealthily infect machines running Windows 10 with malware without displaying any prompts.

User Account Control (UAC) is a security feature in Windows designed to prevent unauthorized changes to the operating system initiated by applications, users, or malware. User Account Control makes sure certain changes are made only with approval from the administrator, otherwise changes are not executed.

According to MorphiSec’s analysis of the new TrickBot variant, the WSReset UAC Bypass process starts with the malware checking if the system is running Windows 7 or Windows 10. If it determines that the machine is running Windows 7, TrickBot will use the CMSTPLUA UAC bypass, and if the system is running Windows 10, Trickbot will leverage the WSReset UAC Bypass.

Discovered in March 2019, the WSReset UAC Bypass allows to take advantage of the WSReset.exe process, which is a Microsoft signed executable that is used to reset Windows Store settings. This binary has autoelevate privileges, thus allowing the WSReset UAC Bypass to be used for privilege escalation.

In order to use the WSReset UAC Bypass TrickBot decrypts the binary’s strings (such as registry path and the command to execute) and then adds the relevant keys using “reg.exe”. The final step involves the execution of WSReset.exe, allowing TrickBot to run with elevated privileges without triggering a UAC prompt. The malware does that using ‘ShellExecuteExW’ API. This final executable allows Trickbot to deliver its payload onto workstations and other endpoints.

Back to the list

Latest Posts

US agencies warn of rising cyber threats from Iran-linked hackers

US agencies warn of rising cyber threats from Iran-linked hackers

Recent months have seen a notable uptick in activity from Iranian-linked hacktivists and government-affiliated threat groups.
1 July 2025
Google rolls out urgent Chrome security patch for active zero-day

Google rolls out urgent Chrome security patch for active zero-day

The flaw, tracked as CVE-2025-6554, is described as a type confusion bug in Chrome's V8 JavaScript and WebAssembly engine.
1 July 2025
Canada bans Chinese surveillance firm Hikvision over national security concerns

Canada bans Chinese surveillance firm Hikvision over national security concerns

From now on, all federal departments, agencies, and Crown corporations are prohibited from purchasing Hikvision products.
1 July 2025