August 6, 2019 by Nick Griffin
This week a new variant of the TrickBot banking trojan emerged with renewed functionality to disable Windows Defender. The new capability can disable several critical elements of Defender’s anti-virus (AV) components, allowing the malware to roam freely on the infected machine where Defender is the only line of…well, defence. There is no evidence, however, to suggest that Defender ATP’s endpoint detection & response (EDR) components are affected.
We conducted our own analysis on TrickBot and discovered a possible reason for how Microsoft became a recent target of the banking trojan.
The graph above represents the number of low detection-rate, confirmed TrickBot samples we’ve seen picked up by Microsoft throughout 2019 so far. We have seen no evidence of a general increase in TrickBot activity in July, so it is clear that Microsoft have increased their efficacy in detecting this malware family.
Microsoft also employ several machine-learning and heuristic detection models. Many TrickBot samples are detected by Microsoft using these models and assigned more generic detection names. For example, “Wacatac” is the primary name Microsoft detects TrickBot samples as. Whilst not all “Wacatac” samples are TrickBot, it is clear that there has also been a large upsurge in Microsoft efficacy with this detection model.
These factors combined, and since Windows Defender is built into all recent versions of Windows, it is no wonder that the TrickBot author(s) are waging war.
Bypassing Endpoint Security
Tampering with traditional endpoint security products is nothing new. It has always been a cat and mouse game between malware and AV developers with the former of these often finding and using new ways to bypass the latter, until those techniques get patched. The new variant of TrickBot is just another example of the weakness in relying on AV.
Many malware authors choose not to go down this route, however, and instead invest the effort in polymorphism by writing new malware crypters and obfuscators. This technique effectively bypasses detection altogether but can also be just as, if not more, short-lived until AV vendors develop new signatures and heuristics.
But if a malware author knows what they’re doing, they will usually stay one small step ahead of AV detection just enough to successfully deliver their malware on a daily basis. This window of opportunity can sometimes be less than an hour before their malware starts picking up detections from AV vendors - usually due in part to sandboxes and security analysts raising the alarm. But an hour is plenty of time to steal data, do damage, or deliver secondary components to maintain a foothold.
Closing the Gap
Read our follow-up blog on closing the gap with Managed Detection & Response (MDR).