New TrickBot Version Focuses on Microsoft's Windows Defender

shmu26

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
Back3 said:
What about Configure Defender ( high profile) ? I have installed it on many friends computers who only have WD as their main antivirus protection.
Click to expand...
Andy already said over here
malwaretips.com

New TrickBot Version Focuses on Microsoft's Windows Defender

A new version of the TrickBot banking Trojan continues its evolution of targeting security software in order to prevent its detection and removal. In this new version, TrickBot has set its sights on Windows Defender, which for many people is the only antivirus installed on a Windows 10 machine...
malwaretips.com malwaretips.com
that he tested it, and ASR blocks it. So that's your answer. Configure Defender ( high profile) will block it immediately.
 
  • Like
Reactions: ForgottenSeer 72227, oldschool, Andy Ful and 2 others
B

Back3

Level 14
Verified
Top Poster
Apr 14, 2019
668
shmu26 said:
Andy already said over here
malwaretips.com

New TrickBot Version Focuses on Microsoft's Windows Defender

A new version of the TrickBot banking Trojan continues its evolution of targeting security software in order to prevent its detection and removal. In this new version, TrickBot has set its sights on Windows Defender, which for many people is the only antivirus installed on a Windows 10 machine...
malwaretips.com malwaretips.com
that he tested it, and ASR blocks it. So that's your answer. Configure Defender ( high profile) will block it immediately.
Click to expand...

Thanks
 
  • Like
Reactions: ForgottenSeer 72227, Andy Ful, Gandalf_The_Grey and 1 other person
Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,491
Back3 said:
What about Configure Defender ( high profile) ? I have installed it on many friends computers who only have WD as their main antivirus protection.
Click to expand...
This malware has a few variants which are delivered via weaponized documents, spam attachments, and phishing links. In most cases, the malware will be prevented by SmartScreen or Windows Defender (ConfigureDefender HIGH Protection Level).
The HIGH Protection Level is similar to the protection of any commercial AV, and such protection can be strengthened by additional settings at the cost of usability.
For example, when using KIS you could tweak Application Control to block/restrict scripting engines. When using WD you could add more ASR rules (ConfigureDefender MAX Protection Level) and use SysHardener, or H_C. If your friends are not happy-clickers, then they could use just standalone RunBySmartScreen.

There is no bulletproof protection. Anyway, the chances that one of your friends can be infected by such malware, when using WD with ConfigureDefender HIGH Protection Level, are much less than the chances of stealing her/his computer. So, you can stop thinking about it. (y):giggle:
 
  • Like
  • HaHa
Reactions: Venustus, Gandalf_The_Grey, shmu26 and 6 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,491
shmu26 said:
... Configure Defender ( high profile) will block it immediately.
Click to expand...
This case is more complicated. ConfigureDefender (HIgh Protection Level) should block the dropper (in most cases) via one of enabled ASR rules. In rare cases, the malware could probably survive and drop the payload to disable WD. Still, WD has a great chance to detect the payload after a day or more, but the fresh payload has some chances to survive. If the UAC vulnerability is not patched by Windows Update then the payload could disable WD.
Anyway, the fresh payload (very low prevalence) should be blocked from disabling WD protection, after activating additional ASR rule (which is disabled in HIgh Protection Level).:giggle:(y)
 
Last edited:
  • Like
Reactions: Venustus, harlan4096, shmu26 and 3 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,491
oldschool said:
Which IMO is the only way to run WD! (y)
Click to expand...
Ha, ha. Most people would not be happy when following this way. :giggle:

Honestly, I do not think that the attack connected with disabling AV protection will be effective against home users. It relies on exploiting privilege escalation vulnerability, so could be especially dangerous in organizations and enterprises, which usually do not update Windows on time. But, many of them have administrators who quickly recognize the attack by seeing WD disabled and some computers use Windows E5 with full WD ATP protection.
The malware will be detonated in the cloud sandbox and recognized as malicious in a minute. The phishing link will be added to SmartScreen and the malware will be detected by BAFS on all computers, even with WD on default settings. After some hours the computers will also detect the malware by signatures.

There are some more sophisticated examples of malware in the wild, which can hide in the system without disabling the AV protection. They can survive much longer because they do not make the noise in the system.
 
  • Like
Reactions: Venustus, harlan4096, shmu26 and 2 others
B

Back3

Level 14
Verified
Top Poster
Apr 14, 2019
668
Andy Ful said:
This malware has a few variants which are delivered via weaponized documents, spam attachments, and phishing links. In most cases, the malware will be prevented by SmartScreen or Windows Defender (ConfigureDefender HIGH Protection Level).
The HIGH Protection Level is similar to the protection of any commercial AV, and such protection can be strengthened by additional settings at the cost of usability.
For example, when using KIS you could tweak Application Control to block/restrict scripting engines. When using WD you could add more ASR rules (ConfigureDefender MAX Protection Level) and use SysHardener, or H_C. If your friends are not happy-clickers, then they could use just standalone RunBySmartScreen.

There is no bulletproof protection. Anyway, the chances that one of your friends can be infected by such malware, when using WD with ConfigureDefender HIGH Protection Level, are much less than the chances of stealing her/his computer. So, you can stop thinking about it. (y):giggle:
Click to expand...

Thanks a lot for your answer. I will stop thinking about it!
 
  • Like
Reactions: Venustus, shmu26 and Andy Ful
upnorth

upnorth

Level 68
Verified
Top Poster
Malware Hunter
Well-known
Jul 27, 2015
5,458
oldschool said:
This type of news provokes fear, etc. but safe web surfers really need not be concerned. These stories breed paranoia on forums. We all would do well to relax , :yoga: and enjoy life! :barefoot: :barefoot: :barefoot: :coffee:
Click to expand...
I partially disagree, simply because fear normally comes from the lack of knowledge and this kind of news/information is crucial being able to gain, knowledge. With that one can then relax and enjoy life! :coffee::emoji_popcorn::emoji_beer:
 
  • Like
Reactions: Venustus, shmu26, Burrito and 1 other person
shmu26

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
Andy Ful said:
the fresh payload (very low prevalence) should be blocked from disabling WD protection, after activating additional ASR rule (which is disabled in HIgh Protection Level).:giggle:(y)
Click to expand...
Which additional ASR rule is that? Is it "Block executable files from running unless they meet a prevalence, age, or trusted list criteria"? You mean this rule is not included in High Protection Level??

Andy Ful said:
It relies on exploiting privilege escalation vulnerability, so could be especially dangerous in organizations and enterprises, which usually do not update Windows on time.
Click to expand...
You mean this malware relies on a vulnerability that was already patched by MS? If so, we really have nothing to worry about!
 
  • Like
Reactions: Andy Ful
shmu26

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
oldschool said:
ASR rules must be enabled manually in “High” setting, or use “Max” and switch to Warn for Edge and Explorer + WS = visible and then ASR included. (y)
Click to expand...
Thanks.
My apologies to @Back3 for my inaccurate answer on the topic. I usually do my own custom configuring, so apparently I forgot what "High" setting does.
 
  • Like
Reactions: Venustus, Back3, Andy Ful and 1 other person
Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,491
shmu26 said:
Thanks.
My apologies to @Back3 for my inaccurate answer on the topic. I usually do my own custom configuring, so apparently I forgot what "High" setting does.
Click to expand...
Your answer was practically correct (for home users on Windows 10) because this kind of malware will be mostly prevented by HIGH Protection Level settings.:giggle:
These settings allow WD to break the infection chain on the delivery stage, so the dangerous Trickbot modules will not be dropped/executed.

The Trickbot dropper can also use social engineering techniques to elevate, like this variant from July 2019: TrickBot malware campaign is after your Office 365 passwords

I am not sure, but it seems that one of the payloads dropped by Trickbot dropper was very quickly detected by Kaspersky and Microsoft (https://twitter.com/hashtag/trickbot):
trickbot.png


Defender ML detected this malware as actions of a malicious hacker's choice (Trojan:Win32/Wacatac.B!ml)
 
Last edited:
  • Like
Reactions: Venustus, Gandalf_The_Grey, shmu26 and 2 others
You must log in or register to reply here.

Similar threads

Gandalf_The_Grey
    • Like
Security News New Windows Themes zero-day gets free, unofficial patches
Replies
0
Views
778
Security News
Gandalf_The_Grey
Gandalf_The_Grey
oldschool
    • Like
    • +Reputation
    • Thanks
New Update Enhanced Phishing Protection in Microsoft Defender SmartScreen
Replies
11
Views
880
Windows 11
simmerskool
simmerskool
lokamoka820
    • Like
New Update Autorun Organizer Updates Thread
Replies
3
Views
249
System utilities
lokamoka820
lokamoka820

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top