Trickbot is not a new threat, but it is an evolving one. The latest twist of the banking Trojan knife as far as Windows 10 users are concerned is the addition of new methods to not only evade but actually disable Windows Defender security protection.
As reported on July 14 in Forbes, Trickbot is a particularly stealthy banking Trojan that has been around since 2016. Since then, it was thought to have compromised no less than 250 million email accounts in an effort to distribute the malware payload. That payload includes the stealing of online banking credentials and cryptocurrency wallets.
Microsoft has always been front and center as far as Trickbot attack campaigns are concerned, with weaponized Word and Excel files being a favored approach. The latest campaign is targeting Windows 10 users and implementing a highly detailed and convincing, but fake nonetheless, Office 365 page to prompt for browser updates that install the Trojan itself.
Disabling Windows Defender
But the really stealthy stuff, and what marks Trickbot as being one of the more dangerous Trojans out in the wild right now, is how it targets those Windows 10 users who rely upon Windows Defender to protect their machines from malware threats. It has been a common thread, at least among the more sophisticated malware seen across the years, to use various methodologies to evade detection by security software and so prevent being neutered.
Trickbot is going the extra malware mile, however, and is not only detecting Windows Defender but employing no less than 17 steps in an attempt to disable it altogether.
The ever-reliable Bleeping Computer reports that once executed, Trickbot attempts to disable and delete the WinDefend service, terminate processes associated with Windows Defender, add a Windows policy to disable Windows Defender, disable Windows Defender real-time protection and disable security notifications.
However, that has apparently not been successful enough, and so the developers of the Trickbot Trojan have now added more steps in their attempt to prevent Windows Defender from protecting Windows 10 users from this threat.
The Bleeping Computer report reveals that researchers MalwareHunterTeam and Vitali Kremez reverse-engineered a newly-discovered Trickbot variant and found it had added a further dozen methods to the attack arsenal. “These methods utilize either Registry settings or the Set-MpPreference PowerShell command to set Windows Defender preferences,” Bleeping Computer reports.
Can Trickbot be stopped?
John Opdenakker, an ethical hacker, says that general best practice such as blocking access to the Windows Registry and ensuring that users don’t have admin rights by default make for good mitigation advice. However, it does “depend on how advanced the particular malware is of course,” Opdenakker adds, “and Trickbot appears to perform elevation to gain higher system privileges once executed.”
Then there is AppLocker, something that is included in Windows 10 but rarely seems to be deployed by the average user.
According to the official Microsoft documentation, “AppLocker helps you control which apps and files users can run. These include executable files, scripts, Windows Installer files, dynamic-link libraries (DLLs), packaged apps, and packaged app installers.”
Ian Thornton-Trump, head of cybersecurity for Amtrust International, says that considering AppLocker is installed and available, “I just don’t understand why more folks are not using it to allow only authorized software to run on endpoints.”
As Thornton-Trump points out, the general rule of thumb when it comes to protecting your systems is “why make it easy?” and he concludes “after all, if you can load a font then you can load an exploit.”
It has also been pointed out to me that Windows “Tamper Protection” blocks attempts to modify Windows Defender settings through the registry and is turned on by default. This should prevent most of the new steps used by Trickbot from being effective.
Vitali Kremez, one of the researchers responsible for the reverse engineering of Trickbot, confirms that it is effective in disabling Windows Defender. However, Kremez also tells me that “it does not really bypass tamper protection on Windows 10,” which means that as long as this has not been disabled “users on Windows 10 should be relatively safe from having their Windows Defender disabled.”
A Microsoft spokesperson issued the following statement: “The latest version of Windows Defender protects against this variant of Trickbot malware. Customers who apply the update, or have automatic updates enabled, will be protected. We continue to encourage customers to turn on automatic updates to help ensure they are protected.”
Kremez warns that “TrickBot has more persistence means and methods to stay undetected,” so this shouldn’t be seen as a pass for Windows 10 users. Those who have disabled tamper protection, possibly to avoid conflict with a third-party security application, are certainly at risk.
I have also been informed by Kremez that the Forbes article and the DeepInstinct report it referenced, which refers to 250 million email accounts compromised is incorrect. “We discovered it way earlier,” Kremez says, adding “the TrickBot group did not compromise 265 million (the actual number) email accounts, but rather they collected those email boxes.” The title of this story has been amended accordingly to reflect this newly disclosed information. Read More