1. Home > Web_defense >

TRICKBOT uses the new win 10 UAC bypass

The Trickbot Trojan is the most advanced malware spreading attack currently in use. Attackers can use the Trickbot Trojan to spread different types of malicious code in different ways. Recently, researchers found that the TRICKBOT Trojan uses a new Windows 10 UAC bypass technology.
Researchers found that Trickbot is always looking for new ways to spread Trojan horses to users’ machines. This is why Trickbot is the most advanced malware spreading tool, and its spreading methods are constantly updated and iterated.
Morphisec Labs researchers discovered that the latest TRICKBOT Trojan uses a privileged Windows 10 WSReset UAC bypass method to bypass user account control and spread the payload to the user's machine.
Trickbot’s WSReset UAC bypass process first checks whether the system is running on Windows 7 or Windows 10. If running on a Windows 7 system, use CMSTPLUA UAC to bypass. Only when running on a Windows 10 system, Trickbot uses WSReset UAC to bypass.

Figure 1 Operating system version check

Figure 2 If you are running on Windows 10, use WSReset UAC to bypass
WSReset UAC bypass was discovered in March 2019 and allows Trickbot developers to use it WSReset.exe process. According to the mainfest file, the WSReset.exe process is a signed executable file of Microsoft used to reset Windows storage settings. The most important thing is that its ‘autoElevate’ feature is set to "true". This is why WSReset UAC bypass can be used for privilege escalation.

Figure 3 WSReset manifest.
Trickbot will decrypt its string to use WSReset UAC bypass, for example The registry path and the command to be executed.

Figure 4 Trickbot command preparation
Then, Trickbot will use "reg.exe" to add Related keys, these keys can be used to bypass using WSReset UAC.

Picture 5 Use reg.exe to add the relevant key

Figure 6 The registry before WSReset execution
The last step to bypass is to execute WSReset.exe, which Trickbot can use to run with elevated privileges without UAC pop-ups. Trickbot uses the ‘ShellExecuteExW’ API. The final executable file allows Trickbot to spread the payload to workstations and other terminals.

Figure 7 WSReset.exe execution

This article is published by www.internetweblist.com and does not represent the position of www.internetweblist.com/:http://www.internetweblist.com/Web_defense/24569.html

Contact Us

Online consultation:click here to give a message