Warning!! Windows Defender can be Disabled by New Version of TrickBot Trojan
By Prempal Singh
TrickBot is a particularly stealthy banking Trojan which has existed since 2016. Since then, it has been thought to have leaked at least 250 million email accounts in order to distribute malware payload. TrickBot is a banking Trojan that continues its evolution of targeting software security in order to prevent its removal and detection.
TrickBot Trojan attempts to steal online banking credentials, browser information,Crypto-currency wallets, and other credentials saved on you browser or PC.
TrickBot Disables Windows Defender
In the new version, TrickBot is becoming one of the more dangerous Trojans as it targets Windows 10 users who completely rely on Windows Defender to protect their machines from malware threats.
TrickBot is becoming more sophisticated and powerful nowadays. It not only detects Windows Defender but also uses no less than 17 steps to try to completely disable it.This new TrickBot version uses additional 12 methods to disable Windows Defender and Microsoft Defender ATP in Windows.
When TrickBot is executed it first starts a loader that gets the system ready by disabling Windows services and processes associated with security software and performing elevation to gain higher system privileges. The “core” component is loaded by injecting a DLL that then downloads modules used to steal information from the computer, contains the communication layer, and perform other tasks.
It attempts to disable and delete WinDefend services, terminate processes associated with Windows Defender, adds Windows policies to disable Windows Defender, disable Windows Defender real-time protection and disable security notifications.
In the previous version,Windows Defender was the basic target by the TrickBot loader, soon to be called Microsoft Defender, by performing the following steps:
- Disable and then delete the WinDefend service.
- Terminates the MsMpEng.exe, MSASCuiL.exe, and MSASCui.exe processes.
- Add the DisableAntiSpyware Windows policy and sets it to true to disable Windows Defender and possibly other software.
- Disables Windows Security notifications.
- Disables Windows Defender real-time protection.
How to Stop Trickbot?
Block Access to the Windows Registry: The general best fix is to block access to Windows Registry. And make sure that users don’t have admin rights by default make for good mitigation advice.
Use App-Locker: App-Locker is included in Windows 10, but it seems to be rarely used by ordinary users. App-Locker helps you limit which applications and files users can run. It includes executable files, dynamic link libraries (DLL), scripts, Windows Installer files, packaged applications and packaged application installers. Not many people use it and only allow authorized software to run on endpoints, but it is indeed a good way to defend TrickBot.
Windows Tamper Protection: Windows 10’s May 2019 Update brings a new “tamper protection” feature to Windows Security. Windows Tamper Protection prevents attempts to modify Windows Defender settings through the registry and it is turned on by default. This should prevent most of the new steps used by TrickBot from taking effect.
It does not really bypass tamper protection on Windows 10, which means that as long as the tamper protection is not disabled, users on Windows 10 should be relatively safe as Windows Defender will not be disabled so easily.”
Debugger configuration
TrickBot detects certain installed security programs and will configure a debugger for that process using the Image File Execution Options Registry key. This will cause the debugger to launch before the program is executed.
Researchers noted that in this version, the name of the process used as the debugger has been changed to “kakugulykau”, which will cause the programs to not be able to launch.