31 January 2020

TrickBot switched to a new Windows 10 UAC bypass to evade detection


TrickBot switched to a new Windows 10 UAC bypass to evade detection

Security researchers have observed new samples of the TrickBot Trojan – one of the most prominent malware delivery tools currently in use – that leverage the Windows 10 WSReset UAC Bypass to stealthily infect machines running Windows 10 with malware without displaying any prompts.

User Account Control (UAC) is a security feature in Windows designed to prevent unauthorized changes to the operating system initiated by applications, users, or malware. User Account Control makes sure certain changes are made only with approval from the administrator, otherwise changes are not executed.

According to MorphiSec’s analysis of the new TrickBot variant, the WSReset UAC Bypass process starts with the malware checking if the system is running Windows 7 or Windows 10. If it determines that the machine is running Windows 7, TrickBot will use the CMSTPLUA UAC bypass, and if the system is running Windows 10, Trickbot will leverage the WSReset UAC Bypass.

Discovered in March 2019, the WSReset UAC Bypass allows to take advantage of the WSReset.exe process, which is a Microsoft signed executable that is used to reset Windows Store settings. This binary has autoelevate privileges, thus allowing the WSReset UAC Bypass to be used for privilege escalation.

In order to use the WSReset UAC Bypass TrickBot decrypts the binary’s strings (such as registry path and the command to execute) and then adds the relevant keys using “reg.exe”. The final step involves the execution of WSReset.exe, allowing TrickBot to run with elevated privileges without triggering a UAC prompt. The malware does that using ‘ShellExecuteExW’ API. This final executable allows Trickbot to deliver its payload onto workstations and other endpoints.

Back to the list

Latest Posts

‘Cloud Snooper’ operation uses a unique combination of techniques to evade detection

‘Cloud Snooper’ operation uses a unique combination of techniques to evade detection

The attack involves piggybacking C2 traffic on a legitimate traffic, thus allowing to bypass firewalls.
26 February 2020
PayPal customers hit with fraudulent charges via Google Pay

PayPal customers hit with fraudulent charges via Google Pay

It's not clear what vulnerability is being exploited, but the issue may be related to a bug reported to PayPal a year ago.
25 February 2020
Croatia’s largest petrol station chain joins list of victims of ransomware attacks

Croatia’s largest petrol station chain joins list of victims of ransomware attacks

The CLOP ransomware family is suspected to be involved in the attack.
21 February 2020