Old Windows ‘Mock Folders’ UAC bypass used to drop malware

Gandalf_The_Grey · Mar 7, 2023

A new phishing campaign targets organizations in Eastern European countries with the Remcos RAT malware with aid from an old Windows User Account Control bypass discovered over two years ago.

The use of mock trusted directories to bypass Windows User Account Control stands out in the attack as it's been known since 2020 but remains effective today.

The latest Remcos campaign was observed and analyzed by SentinelOne researchers, who documented their findings in a report published today.

Sentinel One suggests that system administrators configure Windows UAC to "Always Notify," albeit this might be too obstructive and noisy.

Admins should also monitor for suspicious file creations or process executions in trust filesystem paths with trailing spaces, especially folders containing the string "\Windows".

Old Windows ‘Mock Folders’ UAC bypass used to drop malware

A new phishing campaign targets organizations in Eastern European countries with the Remcos RAT malware with aid from an old Windows User Account Control bypass discovered over two years ago.

www.bleepingcomputer.com

upnorth · Mar 7, 2023

Windows UAC to "Always Notify,"

Long time standing recommendation in the configuration section.

PC Setup Configuration Help & Showcase

Share your PC security set-up with the community.

malwaretips.com

Andy Ful · Mar 7, 2023

As @upnorth noticed, this UAC bypass method cannot work when UAC is set to "Always Notify". It is true for all bypasses related to the auto-elevation feature. The "Always Notify" setting will stop most UAC bypasses, but not all (one old example still works in the wild).
The stronger protection is using SUA which can stop almost all bypasses. Of course, when one uses a weak admin password, then the malware can find it via a brute-force attack.

cruelsister · Mar 7, 2023

"Sentinel One suggests that system administrators configure Windows UAC to "Always Notify," albeit this might be too obstructive and noisy."

Although setting UAC to the Max may indeed stop this malware with an old mechanism, UAC at Max certainly will not protect against newer malware that UAC at any setting blissfully ignores.

But I certainly agree that UAC at Always Notify is indeed "too obstructive and noisy".

piquiteco · Mar 8, 2023

Andy Ful said:
The stronger protection is using SUA which can stop almost all bypasses. Of course, when one uses a weak admin password, then the malware can find it via a brute-force attack.

Using standard account(SUA), will I be protected?

oldschool · Mar 8, 2023

piquiteco said:
Using standard account(SUA), will I be protected?

Yes, as indicated by the quote you referenced.

As @upnorth noticed, this UAC bypass method cannot work when UAC is set to "Always Notify". It is true for all bypasses related to the auto-elevation feature. The "Always Notify" setting will stop most UAC bypasses, but not all (one old example still works in the wild).
The stronger protection is using SUA which can stop almost all bypasses. Of course, when one uses a weak admin password, then the malware can find it via a brute-force attack.

Trident · Mar 8, 2023

cruelsister said:
Although setting UAC to the Max may indeed stop this malware with an old mechanism, UAC at Max certainly will not protect against newer malware that UAC at any setting blissfully ignores.

Noisy, flawed concept. If attackers can get you to download a file they will certainly get you to click “Yes” or enter password if needed. If they are unable to trick you into downloading anything then the noise is not needed.

Andy Ful · Mar 9, 2023

SUA is just another protection layer. It is the solution for people who prefer security over usability. It is also recommended for kids when they do not know the admin password. Some people use SUA for web-related tasks, managing documents from unsecured sources, watching films, etc. Generally, SUA is OK, when one can conveniently split the daily work between two (or more) accounts.

Trident · Mar 9, 2023

Andy Ful said:
It is also recommended for kids when they do not know the admin password

That’s what it is most useful for. If few people use a device, one will be the administrator (presumably someone who knows what they are doing) and the rest (it may be kids or people who are not knowledgeable) will be prevented from making changes.

For single users who know the password and are capable of inputting it at any time (which is more and more today) it provides very little benefits and a lot of time wasted.

Search

Old Windows ‘Mock Folders’ UAC bypass used to drop malware

Gandalf_The_Grey

Level 76

Old Windows ‘Mock Folders’ UAC bypass used to drop malware

upnorth

Moderator

PC Setup Configuration Help & Showcase

Andy Ful

From Hard_Configurator Tools

cruelsister

Level 42

piquiteco

Level 14

oldschool

Level 82

Trident

Level 28

Andy Ful

From Hard_Configurator Tools

Trident

Level 28

Similar threads