TrickBot Loader Targets Windows Defender

Delaware, USA – July 31, 2019 – The new version of notorious TrickBot banking trojan stops Windows Defender and blocks the launch of a number of anti-virus solutions before loading the main component. Сybersecurity expert Vitali Kremez and MalwareHunterTeam analyzed the malware and found new methods to bypass the protection of Windows 10 systems. The primary changes were made to the Trickbot loader, which, after starting, stops the Windows processes and services related to security solutions, and then injects DLL into a process to download all the necessary modules. New TrickBot sample now “knows” 12 new ways to disable Windows Defender and Microsoft Defender ATP. For that purpose, the TrickBot loader modifies the registry or changes the settings of the security solution using PowerShell commands. When other security programs are detected, it modifies the registry to start the debugger before executing these programs.

The authors of this Trojan are constantly expanding its functionality and capabilities of disabling security solutions. The malware is equipped with modules to steal cryptocurrency wallets and browser history, and several modules for collecting credentials from various sources the password-stealing module targeting PuTTY and Virtual Network Computing platforms.

The rules to detect TricBot banking trojan are available on Threat Detection Marketplace.

Trickbot Execution by Florian Roth
Possible TrickBot Activity OR WinDefend Manipulation by Roman Ranskyi
TrickBot Detector (Sysmon) by Alexandr Yampolskyi
Trickbot Malware Detector (Sysmon Behavior)(June 2019) by Lee Archinal