This new Trickbot version uses additional 12 methods to disable Windows Defender Microsoft Defender APT in Windows.
These methods utilize either Registry settings or the Set-MpPreference PowerShell command to set Windows Defender preferences.
Researchers spotted a new version of the TrickBot banking Trojan that targets Microsoft’s Windows Defender in order to prevent its detection and removal.
How does it work?
Once this new version gets executed, it starts a loader that disables Windows services and processes, associated with the Windows Defender.
It then performs privilege escalation to gain higher system privileges.
After this, it loads the "core" component by injecting a DLL.
This DLL downloads modules that are designed to steal information from the computer, contain the communication layer, and perform other tasks.
Methods used to disable Windows Defender
Security researcher Vitali Kremez and researchers from MalwareHunterTeam analyzed the sample and noted that this new Trickbot version uses additional 12 methods to disable Windows Defender Microsoft Defender APT in Windows. These methods utilize either Registry settings or the Set-MpPreference PowerShell command to set Windows Defender preferences.
The additional methods includes adding policies to SOFTWAREPoliciesMicrosoftWindows DefenderReal-Time Protection for the following settings.
DisableBehaviorMonitoring: Disables behavior monitoring in Windows Defender.
DisableOnAccessProtection: Disables scanning when users open a program or file.
DisableScanOnRealtimeEnable: Disables process scanning.
It also configures the following Windows Defender preferences via PowerShell.
DisableRealtimeMonitoring: Disables real-time scanning.
DisableBehaviorMonitoring: Disables behavior monitoring as a Windows Defender preference.
DisableBlockAtFirstSeen: Disables Defender's Cloud Protection feature.
DisableIOAVProtection: Disables the scanning of downloaded files and attachments.
DisablePrivacyMode: Disables privacy mode so all users can see threat history.
DisableIntrusionPreventionSystem: Disables network protection for known vulnerability exploits.
DisableScriptScanning: Disables the scanning of scripts.
SevereThreatDefaultAction: Sets the value to 6, which turns off automatic remediation for severe threats.
LowThreatDefaultAction: Sets th ..
Support the originator by clicking the read the rest link below.
