New TrickBot Version Focuses on Microsoft's Windows Defender

Der.Reisende

Level 45
Thread author
Honorary Member
Top Poster
Content Creator
Malware Hunter
Dec 27, 2014
3,423
A new version of the TrickBot banking Trojan continues its evolution of targeting security software in order to prevent its detection and removal. In this new version, TrickBot has set its sights on Windows Defender, which for many people is the only antivirus installed on a Windows 10 machine.
TrickBot is a banking Trojan that attempts to steal online banking credentials, cryptocurrency wallets, browser information, and other credentials saved on your PC and browser.
When TrickBot is executed it first starts a loader that gets the system ready by disabling Windows services and processes associated with security software and performing elevation to gain higher system privileges. When that is completed, it will load the "core" component by injecting a DLL that then downloads modules used to steal information from the computer, contains the communication layer, and perform other tasks.

[...]

These new methods perform the following steps, with most, if not all, being blocked by TamperProtection if enabled:
  • Add policies to SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection for the following:
    • DisableBehaviorMonitoring: Disables behavior monitoring in Windows Defender.
    • DisableOnAccessProtection: Disables scanning when you open a program or file.
    • DisableScanOnRealtimeEnable: Disabled process scanning.
  • Configures the following Windows Defender preferences via PowerShell:
    • DisableRealtimeMonitoring: Disables real time scanning.
    • DisableBehaviorMonitoring: Same as above, except as a Windows Defender preference.
    • DisableBlockAtFirstSeen: Disables Defender's Cloud Protection feature.
    • DisableIOAVProtection: Disables scans of downloaded files and attachments.
    • DisablePrivacyMode: Disables privacy mode so all users can see threat history.
    • DisableIntrusionPreventionSystem: Disables network protection for known vulnerability exploits.
    • DisableScriptScanning: Disables the scanning of scripts.
    • SevereThreatDefaultAction: Set the value to 6, which turns off automatic remediation for severe threats.
    • LowThreatDefaultAction: Set the value to 6, which turns off automatic remediation for low threats.
    • ModerateThreatDefaultAction: Set the value to 6, which turns off automatic remediation for moderate threats.
[...]

Full arcticle @ source.
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,598
This malware was created 26.07.2019. After 3 days all popular AVs except Comodo could detect it as malware. It is digitally signed and uses UAC bypass to elevate and drop/execute the payload. Next, the script Interpreters (CMD, PowerShell) are used to disable WD services and change the configuration or disable WD protection.
It uses also IFEO Registry key to disable executables/services related to Malwarebytes and Sophos.
Such methods could be used to stop other AVs, too. The crucial thing is to access administrative rights.
 

plat

Level 29
Top Poster
Sep 13, 2018
1,793
"Hardened", most definitely--would third party OSArmor be expected to at least partly block this, particularly when enabling certain Lockdown settings? You would think/hope so but I note that when OSA notifies of a block, the process is not always stopped completely. For example: a legit application, Defender Control v.15: Defender was still running but the little shield icon was knocked out of the system tray.

Also, OSArmor has a self-defense setting. This should be a must for all security software.

osa ld set.PNG
 

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
"Hardened", most definitely--would third party OSArmor be expected to at least partly block this, particularly when enabling certain Lockdown settings? You would think/hope so but I note that when OSA notifies of a block, the process is not always stopped completely. For example: a legit application, Defender Control v.15: Defender was still running but the little shield icon was knocked out of the system tray.

Also, OSArmor has a self-defense setting. This should be a must for all security software.

Since it is signed malware, most of the mitigations in the spoiler won't help. You could hope that the orange one will block it, but better to also enable rules that block powershell.
 
4

436880927

Also, OSArmor has a self-defense setting. This should be a must for all security software.
1. All of the main vendors have already been using what OSA can do for self-defense since Windows 2003/Vista.
2. All of the vendors partnered with Microsoft in the appropriate programs have access to ELAM which uses Windows's native self-defense capabilities (hard-coded into the kernel). OSA doesn't have access to this officially - and it doesn't use it unethically (without consent).
3. Windows is designed to allow administrators to have control over the environment - this includes configuring Windows Defender.

If you have administrative rights then bypassing OSA's self-defense is inevitable - there will always be a way. Unless the system isn't usable by normal means... and chances are there'd be someone out there knowledgeable enough to do it regardless.

There's a reason as to why AVs reject self-defense bypasses when you need to have privileges on the machine for it to function. Feel free to go ahead and make an elevated bypass and submit it to Avast, AVG, Bitdefender, ESET, Kaspersky, whatever... it won't be accepted as eligible and won't get you paid. Standard rights only otherwise all you'll get is a standard reply and there won't be a paycheck included.
 

plat

Level 29
Top Poster
Sep 13, 2018
1,793
Yes, of course, the main vendors would have addressed this self-protect long since--frankly, I didn't even think of third party antivirus but more like NVT EXE Radar Pro, an anti-exe which I have running on my system now. This doesn't seem to have a self defense mechanism, only a password-protected access option. A couple of years ago, VoodooShield's betas had a similar anti-tamper mechanism but not sure if it does currently. I think third party helpers like these are fantastic to have when running Defender specifically and this malware is proof-positive for that. But, you'd want your third party helpers to have some barriers also, not just Defender. Immunet? Secure A-Plus?--software like that. Malwarebytes?

This is why I appreciate shmu's notes about PowerShell, which is already restricted somewhat in OSArmor. I'm thinking I should disable it altogether.
 

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
Little-known security programs such as OSA don't really need self-protection, because malcoders are not targeting them in the first place. On the contrary, malcoders want to stay far away from security researchers, pen-testers and other whistle-blowers who will detect their code and report it.
Major AVs need self-protection, because they are targeted.
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,598
I created a simple script to disable some important WD features and compiled it to EXE:
Code:
Global $PowerShellDir = 'c:\Windows\System32\WindowsPowerShell\v1.0\'
Run($PowerShellDir & "PowerShell -NonInteractive -WindowStyle hidden -command Set-MpPreference -DisableRealtimeMonitoring 1; Set-MpPreference -DisableBehaviorMonitoring 1; Set-MpPreference -DisableBlockAtFirstSeen 1; Set-MpPreference -DisableIOAVProtection 1; Set-MpPreference -DisableScriptScanning 1;", "", @SW_HIDE)
After running the EXE file on WIndows 10 ver. 1809 with admin rights, these features were disabled and the EXE file was not detected as malicious. So, adding the Tamper Protection in WD is really important, because without it, any exploit + UAC bypass can easily disarm WD.

Edit
I simplified somewhat the WD protection, because the same EXE file downloaded from the suspicious website, could be classified as malicious. Furthermore, my example did not have additional suspicious features.
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,598
Today morning I tested the EXE from my previous post with activated WD ASR rule "Block executable files from running unless they meet a prevalence, age, or trusted list criteria". The file was blocked by this rule. So, the combination of WD default protection + the above ASR rule should protect against the executables which try to disarm WD.
 
Last edited:

Gandalf_The_Grey

Level 84
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
7,415
I created a simple script to disable some important WD features and compiled it to EXE:
Code:
Global $PowerShellDir = 'c:\Windows\System32\WindowsPowerShell\v1.0\'
Run($PowerShellDir & "PowerShell -NonInteractive -WindowStyle hidden -command Set-MpPreference -DisableRealtimeMonitoring 1; Set-MpPreference -DisableBehaviorMonitoring 1; Set-MpPreference -DisableBlockAtFirstSeen 1; Set-MpPreference -DisableIOAVProtection 1; Set-MpPreference -DisableScriptScanning 1;", "", @SW_HIDE)
After running the EXE file on WIndows 10 ver. 1809 with admin rights, these features were disabled and the EXE file was not detected as malicious. So, adding the Tamper Protection in WD is really important, because without it, any exploit + UAC bypass can easily disarm WD.

Edit
I simplified somewhat the WD protection, because the same EXE file downloaded from the suspicious website, could be classified as malicious. Furthermore, my example did not have additional suspicious features.
Can you test the same sample on 1903 to see if Tamper Protection will stop this?
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,598
Can you test the same sample on 1903 to see if Tamper Protection will stop this?
For now, the Tamper Protection on Windows ver. 1903 blocks only disabling the below WD settings:
  • Real-time protection;
  • Cloud-delivered protection;
  • IOAV protection;
  • Behavior monitoring;
So, the other features (like script scanning) can still be disabled.
 

Burrito

Level 24
Verified
Top Poster
Well-known
May 16, 2018
1,363
Disabling Windows Defender
But the really stealthy stuff, and what marks Trickbot as being one of the more dangerous Trojans out in the wild right now, is how it targets those Windows 10 users who rely upon Windows Defender to protect their machines from malware threats. It has been a common thread, at least among the more sophisticated malware seen across the years, to use various methodologies to evade detection by security software and so prevent being neutered.

Trickbot is going the extra malware mile, however, and is not only detecting Windows Defender but employing no less than 17 steps to disable it altogether.

The ever-reliable Bleeping Computer reports that once executed, Trickbot attempts to disable and delete the WinDefend service, terminate processes associated with Windows Defender, add a Windows policy to disable Windows Defender, disable Windows Defender real-time protection and disable security notifications.

However, that has apparently not been successful enough, and so the developers of the Trickbot Trojan have now added more steps in their attempt to prevent Windows Defender from protecting Windows 10 users from this threat.

The Bleeping Computer report reveals that researchers MalwareHunterTeam and Vitali Kremez reverse-engineered a newly-discovered Trickbot variant and found it had added a further dozen methods to the attack arsenal. "These methods utilize either Registry settings or the Set-MpPreference PowerShell command to set Windows Defender preferences," Bleeping Computer reports.

 

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,598
Considering how much effort they use to disable WD protection, after the malware already infected the computer with admin rights, they probably think that WD has a very strong postinfection protection.:giggle:
There are so many methods to hide the malware with admin rights and without disabling the AV. I am not sure if disabling the AV is the most efficient method for the attacker, but it can be very dangerous for average Windows 10 users, who do not care if WD protection is turned on.
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,598
So with Tamper Protection enabled and the help of Hard_Configurator (Block PowerShell Scripts) there is nothing to worry about.
With H_C Recommended Settings, this malware will be prevented on the delivery stage (MS Office document, script loader, malicious shortcut, malicious executable, etc.). You do not need Tamper Protection. :giggle: (y)
 

Back3

Level 14
Verified
Top Poster
Apr 14, 2019
674
With H_C Recommended Settings, this malware will be prevented on the delivery stage (MS Office document, script loader, malicious shortcut, malicious executable, etc.). You do not need Tamper Protection. :giggle: (y)

What about Configure Defender ( high profile) ? I have installed it on many friends computers who only have WD as their main antivirus protection.
 
Last edited:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top