Researchers spotted a new version of the TrickBot banking Trojan that targets Microsoft’s Windows Defender in order to prevent its detection and removal.
How does it work?
Methods used to disable Windows Defender
Security researcher Vitali Kremez and researchers from MalwareHunterTeam analyzed the sample and noted that this new Trickbot version uses additional 12 methods to disable Windows Defender and Microsoft Defender ATP in Windows. These methods utilize either Registry settings or the Set-MpPreference PowerShell command to set Windows Defender preferences.
The additional methods includes adding policies to SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection for the following settings.
It also configures the following Windows Defender preferences via PowerShell.
TrickBot detects certain installed security programs and will configure a debugger for that process using the Image File Execution Options Registry key. This will cause the debugger to launch before the program is executed.
Researchers noted that in this version, the name of the process used as the debugger has been changed to “kakugulykau”, which will cause the programs to not be able to launch.