TrickBot Uses a New Windows 10 UAC Bypass to Launch Quietly

LASER_oneXM

Level 37
Thread author
Verified
Top Poster
Well-known
Feb 4, 2016
2,520
The TrickBot Trojan has switched to a new Windows 10 UAC bypass to execute itself with elevated privileges without showing a User Account Control prompt.
Windows uses a security mechanism called User Account Control (UAC) that will display a prompt every time a program is run with administrative privileges.

When these prompts are shown, they will ask logged in user if they wish to allow the program to makes changes, and if the program is suspicious or unrecognized, allows the user to prevent the program from running.
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
Like all similar UAC bypasses based on the auto-elevate feature of some Microsoft binaries, the bypass does not work when UAC is set to MAX. But still, the user can be fooled to allow elevation when seeing the UAC prompt for Microsoft application.
 

SeriousHoax

Level 47
Well-known
Mar 16, 2019
3,630
Like all similar UAC bypasses based on the auto-elevate feature of some Microsoft binaries, the bypass does not work when UAC is set to MAX. But still, the user can be fooled to allow elevation when seeing the UAC prompt for Microsoft application.
Can you explain this? SimpleWall has an option to bypass UAC prompt in settings which after enabling creates a entry in task scheduler. I don't remember it asking UAC permission before doing this. Mine is set to MAX.
2.PNG1.PNG
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
Can you explain this? SimpleWall has an option to bypass UAC prompt in settings which after enabling creates a entry in task scheduler. I don't remember it asking UAC permission before doing this. Mine is set to MAX.
View attachment 233077View attachment 233076
It is not UAC bypass. Simply the scheduled task is created which starts the application with admin rights (no elevation). UAC bypass is when the application starts with standard rights and next is allowed to gain higher privileges.
 

Antus67

Level 9
Verified
Well-known
Nov 3, 2019
413
The TrickBot trojan has evolved again to bolster its ability to elude detection, this time adding a feature that can bypass Windows 10 User Account Control (UAC) to deliver malware across multiple workstations and endpoints on a network, researchers have discovered.


Researchers at Morphisec Labs team said they discovered code last March that uses the Windows 10 WSReset UAC Bypass to circumvent user account control and deliver malware in recent samples of TrickBot, according to a report released last week. UAC is a Windows security feature designed to prevent changes to an operating system by unauthorized users, application or malware.
The TrickBot malware is particularly dangerous because it’s constantly evolving with new functionality to make it even harder to detect its delivery of malware, Morphisec security researcher Arnold Osipov wrote in the post.

“On almost a daily basis, malicious actors reinvent TrickBot and work to find new pathways to deliver the trojan onto user machines,” he said. “This is what makes TrickBot among the most advanced malware delivery vehicles; the constant evolution of methodologies used for delivery.”
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top