As Windows Defender matures and becomes tightly integrated into Windows 10, malware writers are creating techniques to evade its detection. Such is the case with the GootKit banking Trojan, which use a UAC bypass and WMIC commands to exclude the malware executable from being scanned by Windows Defender Antivirus.
GootKit is a banking Trojan that attempts to steal the online banking credentials of infected users through video capture and redirects to fake banking sites under the attacker's control. An interesting aspect of this infection is that it is a Node JS application packaged into an executable.
After analyzing a recent GootKit sample found by JamesWT, malware researcher and reverse engineer Vitali Kremez found that GootKit is attempting to bypass detections by Windows Defender by excluding the malware path from scanning.
In code provided to BleepingComputer by Kremez, we can see that the GootKit first checks if Windows Defender is enabled by issuing the following command:
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName,productState /format:list
Check if Windows Defender is EnabledIf it is enabled, the malware will now execute a command that creates Registry values that will be executed as part of a UAC bypass using the C:\Windows\system32\fodhelper.exe executable.
UAC Bypass using Fodhelper.exeEssentially, the above command will perform the following steps:
1. Create the HKCU\\Software\\Classes\\ms-settings\\shell\\open\\command
"DelegateExecute"=0 value, which is needed for the bypass.
2. Create the HKCU\\Software\\Classes\\ms-settings\\shell\\open\\command
value so it point to a command that whitelists the malware executables path. It
does this using the command:
WMIC /Namespace:\\root\Microsoft\Windows\Defender class
MSFT_MpPreference call Add ExclusionPath=\"' + excludeDir + '\".
3. Executes the command C:\Windows\System32\fodhelper.exe, which will
execute the WMIC command above without showing a UAC prompt.
4. It will then ping the loopback address 7 times to create a delay.
5. Finally, it deletes the value with the WMIC command from the Registry.
At this point, Windows Defender will no longer scan the path where the executable is located.
Finally, GootKit will confirm that the bypass was enabled by executing the following WMIC command:
WMIC /Node:localhost /Namespace:\\root\Microsoft\Windows\Defender Path MSFT_MpPreference Get * /format:list | findstr /i "DisableRealtimeMonitoring ExclusionPath ExclusionProcess MAPSReporting SubmitSamplesConsent"
This command will return a list of Windows Defender preferences that can be used to determine if Windows Defender is active.
As you can be seen below, the ExclusionPath has been set to {"\temp\"}, which means that the path is excluded from scanning. The Temp folder is just an illustration and the path may change with an actual infection.
Check for exclusionWith this exclusion in place, even if Microsoft starts detecting the particular GootKit sample in the future, its path will be excluded and will not be detected by the security software.
GootKit is not the only Trojan stepping up their game to evade Microsoft's greatly improved Windows Defender antivirus product. In July, we reported that TrickBot had started executing PowerShell commands to disable Windows Defender's functionality and to evade detection.
source
