New TrickBot Version Focuses on Microsoft's Windows Defender

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
What about Configure Defender ( high profile) ? I have installed it on many friends computers who only have WD as their main antivirus protection.
Andy already said over here
that he tested it, and ASR blocks it. So that's your answer. Configure Defender ( high profile) will block it immediately.
 

Back3

Level 14
Verified
Top Poster
Apr 14, 2019
654
Andy already said over here
that he tested it, and ASR blocks it. So that's your answer. Configure Defender ( high profile) will block it immediately.

Thanks
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
What about Configure Defender ( high profile) ? I have installed it on many friends computers who only have WD as their main antivirus protection.
This malware has a few variants which are delivered via weaponized documents, spam attachments, and phishing links. In most cases, the malware will be prevented by SmartScreen or Windows Defender (ConfigureDefender HIGH Protection Level).
The HIGH Protection Level is similar to the protection of any commercial AV, and such protection can be strengthened by additional settings at the cost of usability.
For example, when using KIS you could tweak Application Control to block/restrict scripting engines. When using WD you could add more ASR rules (ConfigureDefender MAX Protection Level) and use SysHardener, or H_C. If your friends are not happy-clickers, then they could use just standalone RunBySmartScreen.

There is no bulletproof protection. Anyway, the chances that one of your friends can be infected by such malware, when using WD with ConfigureDefender HIGH Protection Level, are much less than the chances of stealing her/his computer. So, you can stop thinking about it. (y):giggle:
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
... Configure Defender ( high profile) will block it immediately.
This case is more complicated. ConfigureDefender (HIgh Protection Level) should block the dropper (in most cases) via one of enabled ASR rules. In rare cases, the malware could probably survive and drop the payload to disable WD. Still, WD has a great chance to detect the payload after a day or more, but the fresh payload has some chances to survive. If the UAC vulnerability is not patched by Windows Update then the payload could disable WD.
Anyway, the fresh payload (very low prevalence) should be blocked from disabling WD protection, after activating additional ASR rule (which is disabled in HIgh Protection Level).:giggle:(y)
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
Which IMO is the only way to run WD! (y)
Ha, ha. Most people would not be happy when following this way. :giggle:

Honestly, I do not think that the attack connected with disabling AV protection will be effective against home users. It relies on exploiting privilege escalation vulnerability, so could be especially dangerous in organizations and enterprises, which usually do not update Windows on time. But, many of them have administrators who quickly recognize the attack by seeing WD disabled and some computers use Windows E5 with full WD ATP protection.
The malware will be detonated in the cloud sandbox and recognized as malicious in a minute. The phishing link will be added to SmartScreen and the malware will be detected by BAFS on all computers, even with WD on default settings. After some hours the computers will also detect the malware by signatures.

There are some more sophisticated examples of malware in the wild, which can hide in the system without disabling the AV protection. They can survive much longer because they do not make the noise in the system.
 

Back3

Level 14
Verified
Top Poster
Apr 14, 2019
654
This malware has a few variants which are delivered via weaponized documents, spam attachments, and phishing links. In most cases, the malware will be prevented by SmartScreen or Windows Defender (ConfigureDefender HIGH Protection Level).
The HIGH Protection Level is similar to the protection of any commercial AV, and such protection can be strengthened by additional settings at the cost of usability.
For example, when using KIS you could tweak Application Control to block/restrict scripting engines. When using WD you could add more ASR rules (ConfigureDefender MAX Protection Level) and use SysHardener, or H_C. If your friends are not happy-clickers, then they could use just standalone RunBySmartScreen.

There is no bulletproof protection. Anyway, the chances that one of your friends can be infected by such malware, when using WD with ConfigureDefender HIGH Protection Level, are much less than the chances of stealing her/his computer. So, you can stop thinking about it. (y):giggle:

Thanks a lot for your answer. I will stop thinking about it!
 

upnorth

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Jul 27, 2015
5,457
This type of news provokes fear, etc. but safe web surfers really need not be concerned. These stories breed paranoia on forums. We all would do well to relax , :yoga: and enjoy life! :barefoot: :barefoot: :barefoot: :coffee:
I partially disagree, simply because fear normally comes from the lack of knowledge and this kind of news/information is crucial being able to gain, knowledge. With that one can then relax and enjoy life! :coffee::emoji_popcorn::emoji_beer:
 

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
the fresh payload (very low prevalence) should be blocked from disabling WD protection, after activating additional ASR rule (which is disabled in HIgh Protection Level).:giggle:(y)
Which additional ASR rule is that? Is it "Block executable files from running unless they meet a prevalence, age, or trusted list criteria"? You mean this rule is not included in High Protection Level??

It relies on exploiting privilege escalation vulnerability, so could be especially dangerous in organizations and enterprises, which usually do not update Windows on time.
You mean this malware relies on a vulnerability that was already patched by MS? If so, we really have nothing to worry about!
 
  • Like
Reactions: Andy Ful

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
ASR rules must be enabled manually in “High” setting, or use “Max” and switch to Warn for Edge and Explorer + WS = visible and then ASR included. (y)
Thanks.
My apologies to @Back3 for my inaccurate answer on the topic. I usually do my own custom configuring, so apparently I forgot what "High" setting does.
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
Thanks.
My apologies to @Back3 for my inaccurate answer on the topic. I usually do my own custom configuring, so apparently I forgot what "High" setting does.
Your answer was practically correct (for home users on Windows 10) because this kind of malware will be mostly prevented by HIGH Protection Level settings.:giggle:
These settings allow WD to break the infection chain on the delivery stage, so the dangerous Trickbot modules will not be dropped/executed.

The Trickbot dropper can also use social engineering techniques to elevate, like this variant from July 2019: TrickBot malware campaign is after your Office 365 passwords

I am not sure, but it seems that one of the payloads dropped by Trickbot dropper was very quickly detected by Kaspersky and Microsoft (https://twitter.com/hashtag/trickbot):
trickbot.png


Defender ML detected this malware as actions of a malicious hacker's choice (Trojan:Win32/Wacatac.B!ml)
 
Last edited:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top