Windows 10 UAC- The tricky trojan evolves yet again, remaining one of the most advanced vehicles for delivering malware.
The TrickBot trojan has evolved again to bolster its ability to elude detection, this time adding a feature that can bypass Windows 10 User Account Control (UAC) to deliver malware across multiple workstations and endpoints on a network, researchers have discovered.
Researchers at Morphisec Labs team said they discovered code last March that uses the Windows 10 WSReset UAC Bypass to circumvent user account control and deliver malware in recent samples of TrickBot, according to a report released last week. UAC is a Windows security feature designed to prevent changes to an operating system by unauthorized users, application or malware.
The TrickBot malware is particularly dangerous because it’s constantly evolving with new functionality to make it even harder to detect its delivery of malware, Morphisec security researcher Arnold Osipov wrote in the post.
“On almost a daily basis, malicious actors reinvent TrickBot and work to find new pathways to deliver the trojan onto user machines,” he said. “This is what makes TrickBot among the most advanced malware delivery vehicles; the constant evolution of methodologies used for delivery.”
The report outlines in detail how the new TrickBot feature works. The WSReset UAC Bypass first checks a system to see if it’s running Windows 7 or Windows 10, Osipov wrote, with the latter being a condition for the malware to use the WSReset UAC Bypass.
This feature allows TrickBot authors to take advantage of the WSReset.exe process, a Microsoft-signed executable that is used to reset Windows Store settings, according to its manifest file, he said.
Key to the success of TrickBot’s new functionality is that the ‘autoElevate’ property in the process is set to “true,” he said. “This is what allows the WSReset UAC Bypass to be used for privilege escalation,” Osipov wrote.