GootKit Malware Bypasses Windows Defender by Setting Path Exclusions

[silversurfer]

Content source

https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/

As Windows Defender matures and becomes tightly integrated into Windows 10, malware writers are creating techniques to evade its detection.
Such is the case with the GootKit banking Trojan, which use a UAC bypass and WMIC commands to exclude the malware executable from being scanned by Windows Defender Antivirus.

GootKit is a banking Trojan that attempts to steal the online banking credentials of infected users through video capture and redirects to fake banking sites under the attacker's control. An interesting aspect of this infection is that it is a Node JS application packaged into an executable.

Read more below:

GootKit Malware Bypasses Windows Defender by Setting Path Exclusions

As Windows Defender matures and becomes tightly integrated into Windows 10, malware writers are creating techniques to evade its detection. Such is the case with the GootKit banking Trojan, which use a UAC bypass and WMIC commands to exclude the malware executable from being scanned by Windows...

www.bleepingcomputer.com

 

[Andy Ful]

This persistence method will not work with WD ASR rules enabled. Furthermore, it will not work when the execution of reg.exe (well known LOLBin) is blocked.
The bypass used by the malware is actually detected by WD, but without additional tests, it is unclear if the malware can be fully blocked/removed.