The operators of TrickBot Trojan have once again updated its malicious code, and it is now capable of leveraging a new Windows 10 UAC bypass. Through this, the Trojan is capable of executing itself with elevated privileges without displaying a User Account Control prompt.
What is User Account Control (UAC)?
According to Microsoft’s documentation, User Account Control (UAC) is a fundamental component of Microsoft’s overall security vision. UAC helps mitigate the impact of malware.
Each app that requires admin access must prompt for consent. The UAC displays a prompt each time such a program runs with admin privileges.
Upon showing the prompt, the logged in user is asked whether they wish to allow the program to make changes. If the said program is suspicious or not recognized, the user can prevent the program from running. The UAC bypass is present in legitimate Windows programs used by the OS to launch other programs. However, as these programs are not classified as a high priority to Microsoft, it could take a lot of time for bypasses to be fixed.
As for malware, threat actors often user a UAC bypass to run their malware code with admin privileges. This, of course, is done without showing the UAC prompt to alert the user.
One of the latest malware to leverage this feature is TrickBot. Security researchers recently reported that TrickBot has started utilizing a Windows 10 UAC bypass that uses the legitimate fodhelper.exe program in Windows.
Now, the TrickBot team has switched to a different UAC bypass using the WSreset.exe program.
As explained by Bleeping Computer, when executed, this program will read a command from the default value of the HKCU\Software\Classes\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\Shell\open\command key, and will then execute it. Upon executing the command, no UAC prompt is shown to the user, and they will not know that a program has been executed.
Unfortunately, TrickBot operators are now exploiting this UAC bypass to launch the Trojan with elevated privileges without alerting the logged in user via the prompt. This allows the Trojan to run silently in the background and do its dirty work covertly.
According to cybersecurity researchers from Morphisec, “the final step in this bypass is to execute WSReset.exe, which will cause Trickbot to run with elevated privileges without a UAC prompt. Trickbot does that using ‘ShellExecuteExW’ API. This final executable allows Trickbot to deliver its payload onto workstations and other endpoints.”
More about TrickBot Trojan
TrickBot is a banking Trojan that has been around since 2016. The threat it poses is quite disastrous as it is designed to steal online banking and other credentials, cryptocurrency wallets, browser information. 2019 variants of the Trojan were used against users of T-Mobile, Sprint, Verizon among others. The infections were carried out by malicious websites that redirected users of the services to fake landing pages.