TrickBot Uses a New Windows 10 UAC Bypass to Launch Quietly

[LASER_oneXM]

Content source

https://www.bleepingcomputer.com/news/security/trickbot-uses-a-new-windows-10-uac-bypass-to-launch-quietly/

The TrickBot Trojan has switched to a new Windows 10 UAC bypass to execute itself with elevated privileges without showing a User Account Control prompt.
Windows uses a security mechanism called User Account Control (UAC) that will display a prompt every time a program is run with administrative privileges.

When these prompts are shown, they will ask logged in user if they wish to allow the program to makes changes, and if the program is suspicious or unrecognized, allows the user to prevent the program from running.

 

[Andy Ful]

Like all similar UAC bypasses based on the auto-elevate feature of some Microsoft binaries, the bypass does not work when UAC is set to MAX. But still, the user can be fooled to allow elevation when seeing the UAC prompt for Microsoft application.

 

[ForgottenSeer 823865]

Like all similar UAC bypasses based on the auto-elevate feature of some Microsoft binaries, the bypass does not work when UAC is set to MAX.

Reason i always push people to use it at Max.

 

[SeriousHoax]

Like all similar UAC bypasses based on the auto-elevate feature of some Microsoft binaries, the bypass does not work when UAC is set to MAX. But still, the user can be fooled to allow elevation when seeing the UAC prompt for Microsoft application.

Can you explain this? SimpleWall has an option to bypass UAC prompt in settings which after enabling creates a entry in task scheduler. I don't remember it asking UAC permission before doing this. Mine is set to MAX.

 

[ForgottenSeer 823865]

Can you explain this? SimpleWall has an option to bypass UAC prompt in settings which after enabling creates a entry in task scheduler. I don't remember it asking UAC permission before doing this. Mine is set to MAX.
View attachment 233077View attachment 233076

Probably because it is signed.

 

[Andy Ful]

Can you explain this? SimpleWall has an option to bypass UAC prompt in settings which after enabling creates a entry in task scheduler. I don't remember it asking UAC permission before doing this. Mine is set to MAX.
View attachment 233077View attachment 233076

It is not UAC bypass. Simply the scheduled task is created which starts the application with admin rights (no elevation). UAC bypass is when the application starts with standard rights and next is allowed to gain higher privileges.

 

[Antus67]

The TrickBot trojan has evolved again to bolster its ability to elude detection, this time adding a feature that can bypass Windows 10 User Account Control (UAC) to deliver malware across multiple workstations and endpoints on a network, researchers have discovered.


Researchers at Morphisec Labs team said they discovered code last March that uses the Windows 10 WSReset UAC Bypass to circumvent user account control and deliver malware in recent samples of TrickBot, according to a report released last week. UAC is a Windows security feature designed to prevent changes to an operating system by unauthorized users, application or malware.
The TrickBot malware is particularly dangerous because it’s constantly evolving with new functionality to make it even harder to detect its delivery of malware, Morphisec security researcher Arnold Osipov wrote in the post.

“On almost a daily basis, malicious actors reinvent TrickBot and work to find new pathways to deliver the trojan onto user machines,” he said. “This is what makes TrickBot among the most advanced malware delivery vehicles; the constant evolution of methodologies used for delivery.”