Threat Watch

TrickBot Variant Targeting Windows Defender

Known as one of the more popular banking Trojans, TrickBot makes efforts to obtain online banking information, crypto wallets, browser details, as well as other data stored within PC’s and browsers. If executed, the trojan begins its processes by deactivating Windows services that pertain to security and it performs elevation in order to gain higher system privileges. After this, the “core” component is loaded through a DLL that adds modules which steal the information, hold the communication layer, and carry out other tasks. Up until this new version was released, there were only around five steps that TrickBot took to target Windows Defender. According to researchers at MalwareHunterTeam and Vitali Kremez, this apparently wasn’t enough, as the new version carries out 12 additional steps to avoid detection. These steps include:

  • Add policies to SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection for the following:
    • DisableBehaviorMonitoring: Disables behavior monitoring in Windows Defender.
    • DisableOnAccessProtection: Disables scanning when you open a program or file.
    • DisableScanOnRealtimeEnable: Disabled process scanning.
  • Configures the following Windows Defender preferences via PowerShell:
    • DisableRealtimeMonitoring: Disables real-time scanning.
    • DisableBehaviorMonitoring: Same as above, except as a Windows Defender preference.
    • DisableBlockAtFirstSeen: Disables Defender’s Cloud Protection feature.
    • DisableIOAVProtection: Disables scans of downloaded files and attachments.
    • DisablePrivacyMode: Disables privacy mode so all users can see threat history.
    • DisableIntrusionPreventionSystem: Disables network protection for known vulnerability exploits.
    • DisableScriptScanning:  Disables the scanning of scripts.
    • SevereThreatDefaultAction: Set the value to six, which turns off automatic remediation for severe threats.
    • LowThreatDefaultAction: Set the value to six, which turns off automatic remediation for low threats.
    • ModerateThreatDefaultAction: Set the value to six, which turns off automatic remediation for moderate threats.

If certain additional security programs are detected, a debugger is configured using the Image File Execution Options Registry key. This means that the debugger will run before the program attempting to be executed, if the debugger is nonexistent, the program will not launch.

ANALYST NOTES

Since TrickBot developers are constantly changing the way the trojan operates, it is hard to give a concise defense suggestion. Until more information is released, users should enable TamperProtection if operating on Windows and implement additional layers of security through trusted third-party programs.