New version of Trickbot Trojan targets Windows Defender

• This new Trickbot version uses additional 12 methods to disable Windows Defender and Microsoft Defender ATP in Windows.
• These methods utilize either Registry settings or the Set-MpPreference PowerShell command to set Windows Defender preferences.

Researchers spotted a new version of the TrickBot banking Trojan that targets Microsoft’s Windows Defender in order to prevent its detection and removal.

How does it work?

• Once this new version gets executed, it starts a loader that disables Windows services and processes, associated with the Windows Defender.
• It then performs privilege escalation to gain higher system privileges.
• After this, it loads the "core" component by injecting a DLL.
• This DLL downloads modules that are designed to steal information from the computer, contain the communication layer, and perform other tasks.

Methods used to disable Windows Defender

Security researcher Vitali Kremez and researchers from MalwareHunterTeam analyzed the sample and noted that this new Trickbot version uses additional 12 methods to disable Windows Defender and Microsoft Defender ATP in Windows. These methods utilize either Registry settings or the Set-MpPreference PowerShell command to set Windows Defender preferences.

The additional methods includes adding policies to SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection for the following settings.

• DisableBehaviorMonitoring: Disables behavior monitoring in Windows Defender.
• DisableOnAccessProtection: Disables scanning when users open a program or file.
• DisableScanOnRealtimeEnable: Disables process scanning.

It also configures the following Windows Defender preferences via PowerShell.

• DisableRealtimeMonitoring: Disables real-time scanning.
• DisableBehaviorMonitoring: Disables behavior monitoring as a Windows Defender preference.
• DisableBlockAtFirstSeen: Disables Defender's Cloud Protection feature.
• DisableIOAVProtection: Disables the scanning of downloaded files and attachments.
• DisablePrivacyMode: Disables privacy mode so all users can see threat history.
• DisableIntrusionPreventionSystem: Disables network protection for known vulnerability exploits.
• DisableScriptScanning: Disables the scanning of scripts.
• SevereThreatDefaultAction: Sets the value to 6, which turns off automatic remediation for severe threats.
• LowThreatDefaultAction: Sets the value to 6, which turns off automatic remediation for low threats.
• ModerateThreatDefaultAction: Sets the value to 6, which turns off automatic remediation for moderate threats.

Debugger configuration

TrickBot detects certain installed security programs and will configure a debugger for that process using the Image File Execution Options Registry key. This will cause the debugger to launch before the program is executed.

Researchers noted that in this version, the name of the process used as the debugger has been changed to “kakugulykau”, which will cause the programs to not be able to launch.