Trickbot is not a new threat, but it is an evolving one. The latest twist of the banking Trojan knife as far as Windows 10 users are concerned is the addition of new methods to not only evade but actually disable Windows Defender security protection. As reported on July 14 in Forbes , Trickbot is a particularly stealthy banking Trojan that has been around since 2016. Since then, it was thought to have compromised no less than 250 million email accounts in an effort to distribute the malware payload. That payload includes the stealing of online banking credentials and cryptocurrency wallets. Microsoft has always been front and center as far as Trickbot attack campaigns are concerned, with weaponized Word and Excel files being a favored approach. The latest campaign is targeting Windows 10 users and implementing a highly detailed and convincing, but fake nonetheless, Office 365 page to prompt for browser updates that install the Trojan itself. Disab...
As reported on July 14 in Forbes, Trickbot is a particularly stealthy banking Trojan that has been around since 2016. Since then, it was thought to have compromised no less than 250 million email accounts in an effort to distribute the malware payload. That payload includes the stealing of online banking credentials and cryptocurrency wallets.
Microsoft has always been front and center as far as Trickbot attack campaigns are concerned, with weaponized Word and Excel files being a favored approach. The latest campaign is targeting Windows 10 users and implementing a highly detailed and convincing, but fake nonetheless, Office 365 page to prompt for browser updates that install the Trojan itself.
Disabling Windows Defender
But the really stealthy stuff, and what marks Trickbot as being one of the more dangerous Trojans out in the wild right now, is how it targets those Windows 10 users who rely upon Windows Defender to protect their machines from malware threats. It has been a common thread, at least among the more sophisticated malware seen across the years, to use various methodologies to evade detection by security software and so prevent being neutered.
Trickbot is going the extra malware mile, however, and is not only detecting Windows Defender but employing no less than 17 steps in an attempt to disable it altogether.
The ever-reliable Bleeping Computer reports that once executed, Trickbot attempts to disable and delete the WinDefend service, terminate processes associated with Windows Defender, add a Windows policy to disable Windows Defender, disable Windows Defender real-time protection and disable security notifications.
John Opdenakker, an ethical hacker, says that general best practice such as blocking access to the Windows Registry and ensuring that users don’t have admin rights by default make for good mitigation advice. However, it does “depend on how advanced the particular malware is of course,” Opdenakker adds, “and Trickbot appears to perform elevation to gain higher system privileges once executed.”
Then there is AppLocker, something that is included in Windows 10 but rarely seems to be deployed by the average user.
According to the official Microsoft documentation, “AppLocker helps you control which apps and files users can run. These include executable files, scripts, Windows Installer files, dynamic-link libraries (DLLs), packaged apps, and packaged app installers.”
Ian Thornton-Trump, head of cybersecurity for Amtrust International, says that considering AppLocker is installed and available, “I just don’t understand why more folks are not using it to allow only authorized software to run on endpoints.”
As Thornton-Trump points out, the general rule of thumb when it comes to protecting your systems is “why make it easy?” and he concludes “after all, if you can load a font then you can load an exploit.”
It has also been pointed out to me that Windows “Tamper Protection” blocks attempts to modify Windows Defender settings through the registry and is turned on by default. This should prevent most of the new steps used by Trickbot from being effective.
Vitali Kremez, one of the researchers responsible for the reverse engineering of Trickbot, confirms that it is effective disabling Windows Defender. However, Kremez also tells me that “it does not really bypass tamper protection on Windows 10,” which means that as long as this has not been disabled “users on Windows 10 should be relatively safe from having their Windows Defender disabled.”
Kremez warns that “TrickBot has more persistence means and methods to stay undetected,” so this shouldn’t be seen as a pass for Windows 10 users. Those who have disabled tamper protection, possibly to avoid conflict with a third-party security application, are certainly at risk.
I have also been informed by Kremez that the Forbes article and the DeepInstinct report it referenced, which refers to 250 million email accounts compromised is incorrect. “We discovered it way earlier,” Kremez says, adding “the TrickBot group did not compromise 265 million (the actual number) email accounts, but rather they collected those email boxes.”
The title of this story has been amended accordingly to reflect this newly disclosed information.
I have contacted Microsoft to request a statement regarding the changes made to Trickbot and mitigation advice for Windows 10 users. I will update this story once that statement has arrived with me.
Comments
Post a Comment