Windows 10 UAC bypass used by Trickbot to deliver payload

News by Rene Millman

The hackers behind Trickbot have added a new Windows 10 UAC bypass to the malware to in order to execute code without the victim knowing.

The hackers behind Trickbot have added a new Windows 10 UAC bypass to the malware to in order to execute code without the victim knowing.

According to a blog post by Morphisec, the malware can execute itself and elevate its privileges without displaying a User Account Control window. The latest iteration of the malware uses the Windows 10 WSReset UAC Bypass to circumvent user account control and deliver its payload onto user machines.

Researchers said that the WSReset UAC Bypass process begins with Trickbot checking to see if the system it’s on is running Windows 7 or Windows 10. If it is running under Windows 7, it will utilize the CMSTPLUA UAC bypass (the same one as in previous samples). 

“It’s only when the system is running Windows 10 that Trickbot uses the WSReset UAC Bypass,” researchers added.

This bypass was discovered in March 2019 and enables Trickbot authors to take advantage of the WSReset.exe process. The WSReset.exe process is a Microsoft signed executable that is used to reset Windows Store settings, according to its manifest file

“What’s most important here, though, is that the ‘autoElevate’ property is set to “true.” This is what allows the WSReset UAC Bypass to be used for privilege escalation,” said researchers.

Trickbot decrypts its strings in order to use the WSReset UAC Bypass, such as the registry path and the command to execute. It then uses “reg.exe” in order to add the relevant keys that allows it to use the WSReset UAC Bypass.

Lastly, it runs WSReset.exe, which will cause Trickbot to run with elevated privileges without a UAC prompt. Researchers said that Trickbot does that using ‘ShellExecuteExW’ API. This final executable allows Trickbot to deliver its payload onto workstations and other endpoints.

Researchers said that by morphing the application memory structures on endpoints, a hacker’s ability to accurately target critical systems can be diminished.

Kelvin Murray, senior threat researcher at Webroot, told SC Media UK that by setting UAC to its max (or always notify), setting this attack can be mitigated. 

“It is hoped that Microsoft will issue a patch specifically to address this issue, but there has been nothing announced so far from the OS developer,” he said.

As far as stopping Trickbot attacks in general, the best way to do this is to stop Emotet, Trickbot's main delivery method. 

“Updates, email filtering, user education (to evade phishing attempts), good password hygiene and AV protection are all recommended to prevent injury from these malware heavyweights. Trickbot will steal data from machines before typically dropping devastating ransomware like Ryuk.  So, we would advise organisations invest in prevention as the damage done will be irreversible,” added Murray.

Kevin Bocek, VP security strategy and threat intel at Venafi, told SC Media UK that Trickbot’s sophisticated entry and credential stealing techniques are well known.

“This latest exploit harnesses the power of Microsoft’s own code signing with Windows 10 Store utilities, in the knowledge that most enterprises won’t be paying attention and code signing evades even sophisticated Next Gen AV. To protect themselves enterprises must have full control over every code signing certificate they use, especially during the software development pipeline and signing process. It’s time we get serious about machine identities or expect complete chaos,” he said. 

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews