Sunday, February 16, 2020

Week 10 - TRICKBOT

There is a new Windows 10 Trojan on the move.

 Trickbot

 The Trickbot Trojan is one of the most advanced malware delivery vehicles currently in use. Attackers have leveraged it to deliver a wide variety of malicious code, in many different methods. Just yesterday, bleeping computer reported that news articles from president trump’s impeachment trial have been used to hide trickbot from antivirus scanners.



The wsreset UAC Bypass process begins with Trickbot checking to see if the system it’s on is running Windows 7 or Windows 10. If it is running under Windows 7, it will utilize the CMSTPLUA UAC bypass (the same one as in previous samples). It’s only when the system is running Windows 10 that Trickbot uses the wsreset UAC Bypass.


The WSReset UAC Bypass, discovered in March 2019, allows Trickbot authors to take advantage of the WSReset.exe process. The WSReset.exe process is a Microsoft signed executable that is used to reset Windows Store settings, according to its manifest file. What’s most important here, though, is that the ‘autoElevate’ property is set to “true.” This is what allows the WSReset UAC Bypass to be used for privilege escalation.


Trickbot decrypts its strings in order to use the WSReset UAC Bypass, such as the registry path and the command to execute.

The final step in this bypass is to execute WSReset.exe, which will cause Trickbot to run with elevated privileges without a UAC prompt. Trickbot does that using ‘ShellExecuteExW’ API. This final executable allows Trickbot to deliver its payload onto workstations and other endpoints.

How to keep this from being an exploit?

The Morphisec Unified Threat Prevention Platform blocks Trickbot before it is able to execute its process, including the WSReset UAC Bypass, through the power of moving target defense. By morphing the application memory structures on endpoints, we take away the attackers’ ability to accurately target our customers’ critical systems. This protects workstations, servers, VDIs, and cloud workloads against this and other damaging attacks.

keep a watch out for these hashes.
IOC: (SHA-1)
● b9cc1b651f579ff1afb11427f0ec1c882afde710
● 24263d91575bb825c33e3fd27f35bc7bd611cee3
● 864d3e3f7ad0f144f8d838ea9638d4c264c5c063
● f33c057d652aa70c5f1332e14c0b8d9c77a5aa1c
● b1f7f71b5f7fee1cf38e2591e50cb181f7bd5353
● 6de843fb12f456b0ea42876d82f39fe35b5cf6ca
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)