July 31, 2019 By King
Trickbot is not a new threat, but it is an evolving one. The latest twist of the banking Trojan knife as far as Windows 10 users are concerned is the addition of new methods to not only evade but actually disable Windows Defender security protection.
As reported July 14 at Forbes, Trickbot is a particularly stealthy banking Trojan that has been around since 2016. Since then, it is thought to have compromised no less than 250 million email accounts in an effort to distribute the malware payload. That payload includes the stealing of online banking credentials and cryptocurrency wallets.
Microsoft has always been front and center as far as Trickbot attack campaigns are concerned, with weaponized Word and Excel files being a favored approach. The latest campaign is targeting Windows 10 users and implementing a highly detailed and convincing, but fake nonetheless, Office 365 page to prompt for browser updates that install the Trojan itself.
Disabling Windows Defender
But the really stealthy stuff, and what marks Trickbot as being one of the more dangerous Trojans out in the wild right now, is how it targets those Windows 10 users who rely upon Windows Defender to protect their machines from malware threats. It has been a common thread, at least among the more sophisticated malware seen across the years, to use various methodologies to evade detection by security software and so prevent being neutered.
Trickbot is going the extra malware mile, however, and is not only detecting Windows Defender but employing no less than 17 steps to disable it altogether.
The ever-reliable Bleeping Computer reports that once executed, Trickbot attempts to disable and delete the WinDefend service, terminate processes associated with Windows Defender, add a Windows policy to disable Windows Defender, disable Windows Defender real-time protection and disable security notifications.
However, that has apparently not been successful enough, and so the developers of the Trickbot Trojan have now added more steps in their attempt to prevent Windows Defender from protecting Windows 10 users from this threat.
The Bleeping Computer report reveals that researchers MalwareHunterTeam and Vitali Kremez reverse-engineered a newly-discovered Trickbot variant and found it had added a further dozen methods to the attack arsenal. “These methods utilize either Registry settings or the Set-MpPreference PowerShell command to set Windows Defender preferences,” Bleeping Computer reports.
Can Trickbot be stopped?
John Opdenakker, an ethical hacker, says that general best practice such as blocking access to the Windows Registry and ensuring that users don’t have admin rights by default make for good mitigation advice. However, it does “depend on how advanced the particular malware is of course,” Opdenakker adds, “and Trickbot appears to perform elevation to gain higher system privileges once executed.”
Then there is AppLocker, something that is included in Windows 10 but rarely seems to be deployed by the average user.
According to the official Microsoft documentation, “AppLocker helps you control which apps and files users can run. These include executable files, scripts, Windows Installer files, dynamic-link libraries (DLLs), packaged apps, and packaged app installers.”
Ian Thornton-Trump, head of cybersecurity for Amtrust International, says that considering app locker is installed and available, “I just don’t understand why more folks are not using it to allow only authorized software to run on endpoints.”
As Thornton-Trump points out, the general rule of thumb when it comes to protecting your systems is “why make it easy?” and he concludes “after all, if you can load a font then you can load an exploit.”
I have contacted Microsoft to request a statement regarding the changes made to Trickbot and mitigation advice for Windows 10 users. I will update this story once that statement has arrived with me.