Every week the AT&T Chief Security Office produces a series called ThreatTraq with helpful information and news commentary for InfoSec practitioners and researchers. I really enjoy them; you can subscribe to the Youtube channel to stay updated. This is a transcript of a recent feature on ThreatTraq. The video features Manny Ortiz, Director Technology Security, AT&T, Jim Clausing, Principal Member of Technical Staff, AT&T and John Hogoboom, Lead-Cybersecurity, Security Platforms, AT&T.
Jim: Hello Manny, I understand you've got some info on TrickBot to share with us?
Manny: I do. I think anybody that watches this show probably realizes TrickBot itself isn't new. It's been around since at least 2016. Its first iterations were a banking Trojan. And it came actually right after the Dyre banking trojan. I think it might have actually taken its place. Since 2016, it’s become quite a widely used Trojan and has been repurposed over the years. It's been gaining more functionality and features which we typically see with these types of malware and trojans. And so this story talks about the latest iteration of its changes.
Manny: User Account Control, as most folks probably know, is used within Windows to highlight and alert the user that, "Hey, something is trying to make changes to the system. Do you want to allow these changes to happen?"
John: Right. It's as if you go to install a piece of software you get this window that pops up and makes a sound. And it's, "This program wants elevated privileges to do whatever”.
Manny: Exactly. We've probably talked about it in a million times in terms of, that box popping up all the time and people, basically almost mindlessly clicking the, "Yeah, go ahead because I'm in a rush. Let it go do its thing." But in this particular story, they're getting around that even that.
What we had seen before this was a fodhelper.exe, which is short for feature on demand. And they were using that as the crux of the TrickBot. So, fast forward to now, they're using that same technique, except they've replaced fodhelper with WSRese. WSReset is basically a troubleshooting tool that is used in Windows...
John: A legitimate Windows tool.
Manny: Legitimate Windows tool that came about with Windows 8, when the Windows Store came out. It's a troubleshooting tool that allows you to reset the Windows Store cache. It's basically a troubleshooting tool for Windows Store. It clears out the cache and it's supposed to help with getting things started up again.
John: It's evolved yet again a little bit. They keep adding new tricks to its bag of tricks on how to get access and maintain persistence on devices that it infects.
Manny: So what we've seen is the TrickBot now is, in essence, using this tool. rickBot is being delivered via the normal routes that we see, like an email.
John: Phishing or whatever.
Manny: ...phishing, right. It gets delivered. You get somebody to click on it. And one thing that also is important to note is that the WSReset within Windows has the auto-elevate property set to true. Which means that when you run it, it’s automatically is being run with admin creds.
Jim: It doesn't pop up the UAC box. That's the key. It's a way of bypassing UAC.
John: It’s signed as a Windows program so it's legit. It doesn't need UAC.
Manny: Exactly. And the old fodhelper also had these exact same properties. The problem is that across Windows there are tons, hundreds, probably even thousands of binaries that use this auto-elevate property set to true because a lot of this stuff runs in the background.
Manny: They're using this to their advantage to run these programs.
TrickBot uses the ShellExecuteEx WAPI to run itself. It uses reg.exe which is the registry editor to modify a couple of registry keys to add in things like the path and the location of the files that they will be running as part of TrickBot. They use the ShellExecute API, which launches the TrickBot, the binary itself, which has already been written to sort of run some of the commands that they use. TrickBot is able to steal credentials and keys.
John: Passwords out of your browser.
Manny: ...passwords out of your browser. It actually uses the ShellExecute to run the Windows shell, that allows the TrickBot to do what it does on a system. But I think realistically here, what the main purpose or the main point of this entire story here is the fact that we are seeing TrickBot using UAC much more often now to avoid popping the message up. When this thing launches now the user is absolutely oblivious that anything has happened. Whereas before, that was being used by Windows as ability to alert the user.
John: A safeguard that says, "Hey, something's up, are you sure you want this to happen?" But now you're not going to see that...
Manny: You're not going to see that.
John: ...with using this trick that they've found.
Jim: The key is, a lot of malware is going to look for these binaries that already legitimately do the UAC bypass without the auto-elevate set to true. And the question is, how tightly are those locked down? Or can you get them like in this case, to execute an arbitrary binary by modifying these registry keys?
And that's what TrickBot did here - it got the WSReset to execute its code with privileges. And now it's able to do whatever it wants on the system. There are a number of these out there and the malware authors are always looking at these binaries that have their auto-elevate set to true and see if they can get them to execute other arbitrary binaries on the system.
Manny: Yeah. And by the way, I failed to mention earlier. TrickBot has a lot of different features. This is just one branch of the features. The first thing that TrickBot does when it runs on your system is figure out what OS you're running. Are you running Windows 7 or Windows 10? If you're running Windows 7, it actually takes a different branch. This branch here is for Windows 10.
John: And the other thing about this is just because TrickBot's using this as a UAC bypass technique, now that it's known. And actually, I think a lot of other malware authors look at what other malware authors are doing. There are going to be other things besides TrickBot that are probably going to leverage this as a means to get elevated privileges so that they can do similar things with their malware. I don't really know how Microsoft approaches patching these types of things, but they'll probably have to go relook at WSReset and figure out if there some way we can prevent this from being used as a bypass technique in malware in the future.
Jim: Maybe hard coding or providing a whitelist of executables that it can run to do the resetting because as I said, the issue is that by changing these registry keys, you can get it to execute an arbitrary executable with elevated privileges. So they'll have to figure out some way of locking that down. And I'm sure they will.
John: And until that time, you know, we need to be vigilant about not running strange pieces of malware executables or even not find somebody finding a drive-by exploit on a browser that runs that executable that uses this technique and you're just passively just visiting a website, get an infection in your machine. That would be a kind of a multi-layered attack. But, you know, things like that have happened in the past. .
Manny: Unfortunately this is a hard problem, I think, for Microsoft to fix because as we've already seen, they've already gone through iterations - as soon as WSReset gets fixed, they'll find the next one that has the exact same capability. And they'll just exploit that one - and I think they've got hundreds, if not thousands of these binaries within Windows that malware authors can go after.
John: Be wary of any kind of strange emails…