New TrickBot Version Focuses on Microsoft's Windows Defender

Back3 said:
What about Configure Defender ( high profile) ? I have installed it on many friends computers who only have WD as their main antivirus protection.
Click to expand...
Andy already said over here
malwaretips.com

New TrickBot Version Focuses on Microsoft's Windows Defender

A new version of the TrickBot banking Trojan continues its evolution of targeting security software in order to prevent its detection and removal. In this new version, TrickBot has set its sights on Windows Defender, which for many people is the only antivirus installed on a Windows 10 machine...
malwaretips.com malwaretips.com
that he tested it, and ASR blocks it. So that's your answer. Configure Defender ( high profile) will block it immediately.
 
  • Like
Reactions: ForgottenSeer 72227, oldschool, Andy Ful and 2 others
shmu26 said:
Andy already said over here
malwaretips.com

New TrickBot Version Focuses on Microsoft's Windows Defender

A new version of the TrickBot banking Trojan continues its evolution of targeting security software in order to prevent its detection and removal. In this new version, TrickBot has set its sights on Windows Defender, which for many people is the only antivirus installed on a Windows 10 machine...
malwaretips.com malwaretips.com
that he tested it, and ASR blocks it. So that's your answer. Configure Defender ( high profile) will block it immediately.
Click to expand...

Thanks
 
  • Like
Reactions: ForgottenSeer 72227, Andy Ful, Gandalf_The_Grey and 1 other person
Back3 said:
What about Configure Defender ( high profile) ? I have installed it on many friends computers who only have WD as their main antivirus protection.
Click to expand...
This malware has a few variants which are delivered via weaponized documents, spam attachments, and phishing links. In most cases, the malware will be prevented by SmartScreen or Windows Defender (ConfigureDefender HIGH Protection Level).
The HIGH Protection Level is similar to the protection of any commercial AV, and such protection can be strengthened by additional settings at the cost of usability.
For example, when using KIS you could tweak Application Control to block/restrict scripting engines. When using WD you could add more ASR rules (ConfigureDefender MAX Protection Level) and use SysHardener, or H_C. If your friends are not happy-clickers, then they could use just standalone RunBySmartScreen.

There is no bulletproof protection. Anyway, the chances that one of your friends can be infected by such malware, when using WD with ConfigureDefender HIGH Protection Level, are much less than the chances of stealing her/his computer. So, you can stop thinking about it. (y):giggle:
 
  • Like
  • HaHa
Reactions: Venustus, Gandalf_The_Grey, shmu26 and 6 others
shmu26 said:
... Configure Defender ( high profile) will block it immediately.
Click to expand...
This case is more complicated. ConfigureDefender (HIgh Protection Level) should block the dropper (in most cases) via one of enabled ASR rules. In rare cases, the malware could probably survive and drop the payload to disable WD. Still, WD has a great chance to detect the payload after a day or more, but the fresh payload has some chances to survive. If the UAC vulnerability is not patched by Windows Update then the payload could disable WD.
Anyway, the fresh payload (very low prevalence) should be blocked from disabling WD protection, after activating additional ASR rule (which is disabled in HIgh Protection Level).:giggle:(y)
 
Last edited:
  • Like
Reactions: Venustus, harlan4096, shmu26 and 3 others
oldschool said:
Which IMO is the only way to run WD! (y)
Click to expand...
Ha, ha. Most people would not be happy when following this way. :giggle:

Honestly, I do not think that the attack connected with disabling AV protection will be effective against home users. It relies on exploiting privilege escalation vulnerability, so could be especially dangerous in organizations and enterprises, which usually do not update Windows on time. But, many of them have administrators who quickly recognize the attack by seeing WD disabled and some computers use Windows E5 with full WD ATP protection.
The malware will be detonated in the cloud sandbox and recognized as malicious in a minute. The phishing link will be added to SmartScreen and the malware will be detected by BAFS on all computers, even with WD on default settings. After some hours the computers will also detect the malware by signatures.

There are some more sophisticated examples of malware in the wild, which can hide in the system without disabling the AV protection. They can survive much longer because they do not make the noise in the system.
 
  • Like
Reactions: Venustus, harlan4096, shmu26 and 2 others
Andy Ful said:
This malware has a few variants which are delivered via weaponized documents, spam attachments, and phishing links. In most cases, the malware will be prevented by SmartScreen or Windows Defender (ConfigureDefender HIGH Protection Level).
The HIGH Protection Level is similar to the protection of any commercial AV, and such protection can be strengthened by additional settings at the cost of usability.
For example, when using KIS you could tweak Application Control to block/restrict scripting engines. When using WD you could add more ASR rules (ConfigureDefender MAX Protection Level) and use SysHardener, or H_C. If your friends are not happy-clickers, then they could use just standalone RunBySmartScreen.

There is no bulletproof protection. Anyway, the chances that one of your friends can be infected by such malware, when using WD with ConfigureDefender HIGH Protection Level, are much less than the chances of stealing her/his computer. So, you can stop thinking about it. (y):giggle:
Click to expand...

Thanks a lot for your answer. I will stop thinking about it!
 
  • Like
Reactions: Venustus, shmu26 and Andy Ful
Back3 said:
Thanks a lot for your answer. I will stop thinking about it!
Click to expand...

This type of news provokes fear, etc. but safe web surfers really need not be concerned. These stories breed paranoia on forums. We all would do well to relax , :yoga: and enjoy life! :barefoot: :barefoot: :barefoot: :coffee:
 
  • Like
  • +Reputation
Reactions: Venustus, Andy Ful, shmu26 and 3 others
oldschool said:
This type of news provokes fear, etc. but safe web surfers really need not be concerned. These stories breed paranoia on forums. We all would do well to relax , :yoga: and enjoy life! :barefoot: :barefoot: :barefoot: :coffee:
Click to expand...
I partially disagree, simply because fear normally comes from the lack of knowledge and this kind of news/information is crucial being able to gain, knowledge. With that one can then relax and enjoy life! :coffee::emoji_popcorn::emoji_beer:
 
  • Like
Reactions: Venustus, shmu26, Burrito and 1 other person
Andy Ful said:
the fresh payload (very low prevalence) should be blocked from disabling WD protection, after activating additional ASR rule (which is disabled in HIgh Protection Level).:giggle:(y)
Click to expand...
Which additional ASR rule is that? Is it "Block executable files from running unless they meet a prevalence, age, or trusted list criteria"? You mean this rule is not included in High Protection Level??

Andy Ful said:
It relies on exploiting privilege escalation vulnerability, so could be especially dangerous in organizations and enterprises, which usually do not update Windows on time.
Click to expand...
You mean this malware relies on a vulnerability that was already patched by MS? If so, we really have nothing to worry about!
 
  • Like
Reactions: Andy Ful
oldschool said:
ASR rules must be enabled manually in “High” setting, or use “Max” and switch to Warn for Edge and Explorer + WS = visible and then ASR included. (y)
Click to expand...
Thanks.
My apologies to @Back3 for my inaccurate answer on the topic. I usually do my own custom configuring, so apparently I forgot what "High" setting does.
 
  • Like
Reactions: Venustus, Back3, Andy Ful and 1 other person
shmu26 said:
Thanks.
My apologies to @Back3 for my inaccurate answer on the topic. I usually do my own custom configuring, so apparently I forgot what "High" setting does.
Click to expand...
Your answer was practically correct (for home users on Windows 10) because this kind of malware will be mostly prevented by HIGH Protection Level settings.:giggle:
These settings allow WD to break the infection chain on the delivery stage, so the dangerous Trickbot modules will not be dropped/executed.

The Trickbot dropper can also use social engineering techniques to elevate, like this variant from July 2019: TrickBot malware campaign is after your Office 365 passwords

I am not sure, but it seems that one of the payloads dropped by Trickbot dropper was very quickly detected by Kaspersky and Microsoft (https://twitter.com/hashtag/trickbot):
trickbot.png


Defender ML detected this malware as actions of a malicious hacker's choice (Trojan:Win32/Wacatac.B!ml)
 
Last edited:
  • Like
Reactions: Venustus, Gandalf_The_Grey, shmu26 and 2 others
You must log in or register to reply here.

You may also like...