New TrickBot Version Focuses on Microsoft's Windows Defender

[Der.Reisende]

Content source

https://www.bleepingcomputer.com/news/security/new-trickbot-version-focuses-on-microsofts-windows-defender/

A new version of the TrickBot banking Trojan continues its evolution of targeting security software in order to prevent its detection and removal. In this new version, TrickBot has set its sights on Windows Defender, which for many people is the only antivirus installed on a Windows 10 machine.
TrickBot is a banking Trojan that attempts to steal online banking credentials, cryptocurrency wallets, browser information, and other credentials saved on your PC and browser.
When TrickBot is executed it first starts a loader that gets the system ready by disabling Windows services and processes associated with security software and performing elevation to gain higher system privileges. When that is completed, it will load the "core" component by injecting a DLL that then downloads modules used to steal information from the computer, contains the communication layer, and perform other tasks.

[...]

These new methods perform the following steps, with most, if not all, being blocked by TamperProtection if enabled:

• Add policies to SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection for the following:
  • DisableBehaviorMonitoring: Disables behavior monitoring in Windows Defender.
  • DisableOnAccessProtection: Disables scanning when you open a program or file.
  • DisableScanOnRealtimeEnable: Disabled process scanning.
• Configures the following Windows Defender preferences via PowerShell:
  • DisableRealtimeMonitoring: Disables real time scanning.
  • DisableBehaviorMonitoring: Same as above, except as a Windows Defender preference.
  • DisableBlockAtFirstSeen: Disables Defender's Cloud Protection feature.
  • DisableIOAVProtection: Disables scans of downloaded files and attachments.
  • DisablePrivacyMode: Disables privacy mode so all users can see threat history.
  • DisableIntrusionPreventionSystem: Disables network protection for known vulnerability exploits.
  • DisableScriptScanning: Disables the scanning of scripts.
  • SevereThreatDefaultAction: Set the value to 6, which turns off automatic remediation for severe threats.
  • LowThreatDefaultAction: Set the value to 6, which turns off automatic remediation for low threats.
  • ModerateThreatDefaultAction: Set the value to 6, which turns off automatic remediation for moderate threats.

[...]

Full arcticle @ source.

 

[Threadripper]

Would love to see this in action against a fully updated 1903 system w/ core isolation & tamper prevention. I guess if UAC was on always notify it would need permission but UAC is easy to bypass.

 

[shmu26]

Tamper protection will provide an additional obstacle to this attack, but since it relies on Powershell and privilege elevation, it will already find many obstacles in place on hardened systems.

 

[Andy Ful]

This malware was created 26.07.2019. After 3 days all popular AVs except Comodo could detect it as malware. It is digitally signed and uses UAC bypass to elevate and drop/execute the payload. Next, the script Interpreters (CMD, PowerShell) are used to disable WD services and change the configuration or disable WD protection.
It uses also IFEO Registry key to disable executables/services related to Malwarebytes and Sophos.
Such methods could be used to stop other AVs, too. The crucial thing is to access administrative rights.

 

[plat]

"Hardened", most definitely--would third party OSArmor be expected to at least partly block this, particularly when enabling certain Lockdown settings? You would think/hope so but I note that when OSA notifies of a block, the process is not always stopped completely. For example: a legit application, Defender Control v.15: Defender was still running but the little shield icon was knocked out of the system tray.

Also, OSArmor has a self-defense setting. This should be a must for all security software.

Spoiler

 

[shmu26]

"Hardened", most definitely--would third party OSArmor be expected to at least partly block this, particularly when enabling certain Lockdown settings? You would think/hope so but I note that when OSA notifies of a block, the process is not always stopped completely. For example: a legit application, Defender Control v.15: Defender was still running but the little shield icon was knocked out of the system tray.

Also, OSArmor has a self-defense setting. This should be a must for all security software.

Spoiler

View attachment 217631

Since it is signed malware, most of the mitigations in the spoiler won't help. You could hope that the orange one will block it, but better to also enable rules that block powershell.

 

[Andy Ful]

Since it is signed malware, most of the mitigations in the spoiler won't help. You could hope that the orange one will block it, but better to also enable rules that block powershell.

The initial loader is signed, but it seems that the payload is not.

 

[436880927]

Also, OSArmor has a self-defense setting. This should be a must for all security software.

1. All of the main vendors have already been using what OSA can do for self-defense since Windows 2003/Vista.
2. All of the vendors partnered with Microsoft in the appropriate programs have access to ELAM which uses Windows's native self-defense capabilities (hard-coded into the kernel). OSA doesn't have access to this officially - and it doesn't use it unethically (without consent).
3. Windows is designed to allow administrators to have control over the environment - this includes configuring Windows Defender.

If you have administrative rights then bypassing OSA's self-defense is inevitable - there will always be a way. Unless the system isn't usable by normal means... and chances are there'd be someone out there knowledgeable enough to do it regardless.

There's a reason as to why AVs reject self-defense bypasses when you need to have privileges on the machine for it to function. Feel free to go ahead and make an elevated bypass and submit it to Avast, AVG, Bitdefender, ESET, Kaspersky, whatever... it won't be accepted as eligible and won't get you paid. Standard rights only otherwise all you'll get is a standard reply and there won't be a paycheck included.

 

[plat]

Yes, of course, the main vendors would have addressed this self-protect long since--frankly, I didn't even think of third party antivirus but more like NVT EXE Radar Pro, an anti-exe which I have running on my system now. This doesn't seem to have a self defense mechanism, only a password-protected access option. A couple of years ago, VoodooShield's betas had a similar anti-tamper mechanism but not sure if it does currently. I think third party helpers like these are fantastic to have when running Defender specifically and this malware is proof-positive for that. But, you'd want your third party helpers to have some barriers also, not just Defender. Immunet? Secure A-Plus?--software like that. Malwarebytes?

This is why I appreciate shmu's notes about PowerShell, which is already restricted somewhat in OSArmor. I'm thinking I should disable it altogether.

 

[shmu26]

Little-known security programs such as OSA don't really need self-protection, because malcoders are not targeting them in the first place. On the contrary, malcoders want to stay far away from security researchers, pen-testers and other whistle-blowers who will detect their code and report it.
Major AVs need self-protection, because they are targeted.

 

[Andy Ful]

I created a simple script to disable some important WD features and compiled it to EXE:

Global $PowerShellDir = 'c:\Windows\System32\WindowsPowerShell\v1.0\'
Run($PowerShellDir & "PowerShell -NonInteractive -WindowStyle hidden -command Set-MpPreference -DisableRealtimeMonitoring 1; Set-MpPreference -DisableBehaviorMonitoring 1; Set-MpPreference -DisableBlockAtFirstSeen 1; Set-MpPreference -DisableIOAVProtection 1; Set-MpPreference -DisableScriptScanning 1;", "", @SW_HIDE)

After running the EXE file on WIndows 10 ver. 1809 with admin rights, these features were disabled and the EXE file was not detected as malicious. So, adding the Tamper Protection in WD is really important, because without it, any exploit + UAC bypass can easily disarm WD.

Edit
I simplified somewhat the WD protection, because the same EXE file downloaded from the suspicious website, could be classified as malicious. Furthermore, my example did not have additional suspicious features.

 

[Andy Ful]

Today morning I tested the EXE from my previous post with activated WD ASR rule "Block executable files from running unless they meet a prevalence, age, or trusted list criteria". The file was blocked by this rule. So, the combination of WD default protection + the above ASR rule should protect against the executables which try to disarm WD.

 

[Gandalf_The_Grey]

I created a simple script to disable some important WD features and compiled it to EXE:

Global $PowerShellDir = 'c:\Windows\System32\WindowsPowerShell\v1.0\'
Run($PowerShellDir & "PowerShell -NonInteractive -WindowStyle hidden -command Set-MpPreference -DisableRealtimeMonitoring 1; Set-MpPreference -DisableBehaviorMonitoring 1; Set-MpPreference -DisableBlockAtFirstSeen 1; Set-MpPreference -DisableIOAVProtection 1; Set-MpPreference -DisableScriptScanning 1;", "", @SW_HIDE)

After running the EXE file on WIndows 10 ver. 1809 with admin rights, these features were disabled and the EXE file was not detected as malicious. So, adding the Tamper Protection in WD is really important, because without it, any exploit + UAC bypass can easily disarm WD.

Edit
I simplified somewhat the WD protection, because the same EXE file downloaded from the suspicious website, could be classified as malicious. Furthermore, my example did not have additional suspicious features.

Can you test the same sample on 1903 to see if Tamper Protection will stop this?

 

[Andy Ful]

Can you test the same sample on 1903 to see if Tamper Protection will stop this?

For now, the Tamper Protection on Windows ver. 1903 blocks only disabling the below WD settings:

• Real-time protection;
• Cloud-delivered protection;
• IOAV protection;
• Behavior monitoring;

So, the other features (like script scanning) can still be disabled.

 

[Burrito]

Disabling Windows Defender

But the really stealthy stuff, and what marks Trickbot as being one of the more dangerous Trojans out in the wild right now, is how it targets those Windows 10 users who rely upon Windows Defender to protect their machines from malware threats. It has been a common thread, at least among the more sophisticated malware seen across the years, to use various methodologies to evade detection by security software and so prevent being neutered.

Trickbot is going the extra malware mile, however, and is not only detecting Windows Defender but employing no less than 17 steps to disable it altogether.

The ever-reliable Bleeping Computer reports that once executed, Trickbot attempts to disable and delete the WinDefend service, terminate processes associated with Windows Defender, add a Windows policy to disable Windows Defender, disable Windows Defender real-time protection and disable security notifications.

However, that has apparently not been successful enough, and so the developers of the Trickbot Trojan have now added more steps in their attempt to prevent Windows Defender from protecting Windows 10 users from this threat.

The Bleeping Computer report reveals that researchers MalwareHunterTeam and Vitali Kremez reverse-engineered a newly-discovered Trickbot variant and found it had added a further dozen methods to the attack arsenal. "These methods utilize either Registry settings or the Set-MpPreference PowerShell command to set Windows Defender preferences," Bleeping Computer reports.

Windows 10 Warning: 250M Account Trojan Can Disable Windows Defender

Windows 10 users are fortunate in having pretty good malware protection in the form of Windows Defender, right out of the box. Until, that is, malware figures out a way to not only evade detection but disable Defender altogether.

www.forbes.com

 

[shmu26]

Windows 10 Warning: 250M Account Trojan Can Disable Windows Defender

Windows 10 users are fortunate in having pretty good malware protection in the form of Windows Defender, right out of the box. Until, that is, malware figures out a way to not only evade detection but disable Defender altogether.

www.forbes.com

Without Powershell, this malware is powerless.

 

[Andy Ful]

Considering how much effort they use to disable WD protection, after the malware already infected the computer with admin rights, they probably think that WD has a very strong postinfection protection.
There are so many methods to hide the malware with admin rights and without disabling the AV. I am not sure if disabling the AV is the most efficient method for the attacker, but it can be very dangerous for average Windows 10 users, who do not care if WD protection is turned on.

 

[Gandalf_The_Grey]

Without Powershell, this malware is powerless.

So with Tamper Protection enabled and the help of Hard_Configurator (Block PowerShell Scripts) there is nothing to worry about.

 

[Andy Ful]

So with Tamper Protection enabled and the help of Hard_Configurator (Block PowerShell Scripts) there is nothing to worry about.

With H_C Recommended Settings, this malware will be prevented on the delivery stage (MS Office document, script loader, malicious shortcut, malicious executable, etc.). You do not need Tamper Protection.

 

[Back3]

With H_C Recommended Settings, this malware will be prevented on the delivery stage (MS Office document, script loader, malicious shortcut, malicious executable, etc.). You do not need Tamper Protection.

What about Configure Defender ( high profile) ? I have installed it on many friends computers who only have WD as their main antivirus protection.