TrickBot Switches to a New Windows 10 UAC Bypass to Evade Detection

The tricky trojan evolves yet again, remaining one of the most advanced vehicles for delivering malware.

The TrickBot trojan has evolved again to bolster its ability to elude detection, this time adding a feature that can bypass Windows 10 User Account Control (UAC) to deliver malware across multiple workstations and endpoints on a network, researchers have discovered.

Researchers at Morphisec Labs team said they discovered code last March that uses the Windows 10 WSReset UAC Bypass to circumvent user account control and deliver malware in recent samples of TrickBot, according to a report released last week. UACĀ  is a Windows security feature designed to prevent changes to an operating system by unauthorized users, application or malware.

The TrickBot malware is particularly dangerous because it’s constantly evolving with new functionality to make it even harder to detect its delivery of malware, Morphisec security researcher Arnold Osipov wrote in the post.

“On almost a daily basis, malicious actors reinvent TrickBot and work to find new pathways to deliver the trojan onto user machines,” he said. “This is what makes TrickBot among the most advanced malware delivery vehicles; the constant evolution of methodologies used for delivery.”

The report outlines in detail how the new TrickBot feature works. The WSReset UAC Bypass first checks a system to see if it’s running Windows 7 or Windows 10, Osipov wrote, with the latter being a condition for the malware to use the WSReset UAC Bypass.

This feature allows TrickBot authors to take advantage of the WSReset.exe process, a Microsoft-signed executable that is used to reset Windows Store settings, according to its manifest file, he said.

Key to the success of TrickBot’s new functionality is that the ‘autoElevate’ property in the process is set to “true,” he said. “This is what allows the WSReset UAC Bypass to be used for privilege escalation,” Osipov wrote.

If this is the case, TrickBot decrypts its strings in order to use the WSReset UAC Bypass, such as the registry path and the command to execute. Next, the trojan uses “reg.exe” in order to add the relevant keys that allows it to utilize the WSReset UAC Bypass, he said.

The final step in the new bypass feature is to execute WSReset.exe, “which will cause TrickBot to run with elevated privileges without a UAC prompt,” Osipov explained.

“TrickBot does that using ‘ShellExecuteExW’ API,” he wrote. “This final executable allows TrickBot to deliver its payload onto workstations and other endpoints.”

TrickBot was developed in 2016 as a banking malware to succeed the Dyre banking trojan; but since then, it has developed into an all-purpose, module-based crimeware solution targeted specifically to corporations. In the several years it’s been active, its creators have demonstration remarkably rapid evolution to find new, inventive and elusive ways to deliver malicious payloads.

In 2019 alone, various versions of TrickBot appeared that steadily added new tricks to the trojan’s arsenal appeared, including a feature that goes after remote desktop credentials and an update to its password grabber to target data from OpenSSH and OpenVPN applications.

Researchers last year also found evidence that the crimeware organization behind TrickBot forged an unprecedented union with North Korean APT group Lazarus through an all-in-one attack framework developed by TrickBot called Anchor Project.

2020 seems poised to show another flurry of activity from TrickBot’s criminal minds. Prior to the latest report, a team from SentinelLabs revealed mere days into the new year that a stealthy backdoor dubbed “PowerTrick” already had been added to TrickBot.


Suggested articles