Week 10 - TRICKBOT

There is a new Windows 10 Trojan on the move.

Trickbot

The Trickbot Trojan is one of the most advanced malware delivery vehicles currently in use. Attackers have leveraged it to deliver a wide variety of malicious code, in many different methods. Just yesterday, bleeping computer reported that news articles from president trump’s impeachment trial have been used to hide trickbot from antivirus scanners.

The wsreset UAC Bypass process begins with Trickbot checking to see if the system it’s on is running Windows 7 or Windows 10. If it is running under Windows 7, it will utilize the CMSTPLUA UAC bypass (the same one as in previous samples). It’s only when the system is running Windows 10 that Trickbot uses the wsreset UAC Bypass.

The WSReset UAC Bypass, discovered in March 2019, allows Trickbot authors to take advantage of the WSReset.exe process. The WSReset.exe process is a Microsoft signed executable that is used to reset Windows Store settings, according to its manifest file. What’s most important here, though, is that the ‘autoElevate’ property is set to “true.” This is what allows the WSReset UAC Bypass to be used for privilege escalation.

Trickbot decrypts its strings in order to use the WSReset UAC Bypass, such as the registry path and the command to execute.

The final step in this bypass is to execute WSReset.exe, which will cause Trickbot to run with elevated privileges without a UAC prompt. Trickbot does that using ‘ShellExecuteExW’ API. This final executable allows Trickbot to deliver its payload onto workstations and other endpoints.

How to keep this from being an exploit?

The Morphisec Unified Threat Prevention Platform blocks Trickbot before it is able to execute its process, including the WSReset UAC Bypass, through the power of moving target defense. By morphing the application memory structures on endpoints, we take away the attackers’ ability to accurately target our customers’ critical systems. This protects workstations, servers, VDIs, and cloud workloads against this and other damaging attacks.

keep a watch out for these hashes.

IOC: (SHA-1)

● b9cc1b651f579ff1afb11427f0ec1c882afde710

● 24263d91575bb825c33e3fd27f35bc7bd611cee3

● 864d3e3f7ad0f144f8d838ea9638d4c264c5c063

● f33c057d652aa70c5f1332e14c0b8d9c77a5aa1c

● b1f7f71b5f7fee1cf38e2591e50cb181f7bd5353

● 6de843fb12f456b0ea42876d82f39fe35b5cf6ca

Week 9 - Operation Shadowhammer

There are many manufacturers of computer systems around the world.  One of my personal favorite vendors is ASUS.  Even though they are a great company, they are not immune to cyber threats, as well as hacking their software. 

In early 2019, ASUS was hit with a supply chain attack that leveraged ASUS Live Update software.  The attack took place between June and November 2018 and according to ASUS's telemetry, it affected a large number of users.

ASUS Live Update is an tool that comes pre-installed on most of ASUS computers.  It is used to automatically update certain components such as BIOS, UEFI, drivers and applications. According to a Gartner report, ASUS was the world’s 5th-largest PC vendor by 2017 unit sales. This makes it an extremely attractive target for APT groups that might want to take advantage of their userbase. 

The goal of this attack is to specifically target an set pool of users, which were identified by their network adapters’ MAC addresses. To do this, the hackers had hardcoded a list of MAC addresses in the trojanized samples and this list was used to identify the actual intended targets of this massive operation. ASUS was able to extract more than 600 unique MAC addresses from over 200 samples used in the attack. Of course, there might be other samples out there with different MAC addresses in their list.

Are you affected?

ASUS created a tool which can be run to determine if your computer has been one of the surgically selected targets of the attack. To check this, it compares MAC addresses of all adapters to a list of predefined values hardcoded in the malware and alerts if a match was found.

If you were on the list of affected users, then the hack is no longer a threat.  At the end of March 2019, the 2 hosted updates servers where the attackers were using legitimate certificates to mask their packages have been found and removed.  The Live Update software now available is now safe to use.

WEEK 8 - The WINRAR Bug

I am not sure what is the latest software used to unzip files, but I have been using WinRAR for the better part of the Millennium.  It is a great program that will unwrap many types of compressed files.  But lately someone has developed a hack that make the WinRAR program do some nasty things.

"By renaming an ACE file with a RAR extension, hackers could manipulate WinRAR to extract a malicious program to a computer's startup folder. The program would then run automatically when your computer started. Check Point says the flaw existed for 19 years. In response to the blog post, WinRAR was quick to patch the vulnerability, releasing a version 5.70 beta 1 in which it dropped support for ACE archives. Turns out the company was using a third party tool to unpack ACE archives anyway, and it hadn't been updated since 2005." (Fischer, 2019)

Luckily this bug has been fixed as long as you update to the latest version of 5.7.  It is funny to think that this flaw, although unused, has been out there for the past 19 years.

NOTE: WinRAR does not patch automatically – you have to manually update your software to be safe.

“Because of the huge WinRAR customer-base, lack of auto-update feature and the ease of exploitation of this vulnerability, we believe this will be used by more threat actors in the upcoming days.” (Muncaster, 2019)

Something else to note is that Saudi Arabian targets account for 42% of total attacks since 2016, but the US is a close second with 34% before a big drop off with Belgium (6%) in third.


Fisher, C. (2019, February 21). WinRAR patched 19-year-old bug that left millions vulnerable. Retrieved February 1, 2020, from https://www.engadget.com/2019/02/21/winrar-19-year-old-bug-patched/

Muncaster, P. (2019, March 28). Hackers Queue Up to Exploit WinRAR Bug. Retrieved February 1, 2020, from https://www.infosecurity-magazine.com/news/hackers-queue-up-to-exploit-winrar-1/