30 July 19, 11:51
Quote:A new version of the TrickBot banking Trojan continues its evolution of targeting security software in order to prevent its detection and removal. In this new version, TrickBot has set its sights on Windows Defender, which for many people is the only antivirus installed on a Windows 10 machine.
TrickBot is a banking Trojan that attempts to steal online banking credentials, cryptocurrency wallets, browser information, and other credentials saved on your PC and browser.
When TrickBot is executed it first starts a loader that gets the system ready by disabling Windows services and processes associated with security software and performing elevation to gain higher system privileges. When that is completed, it will load the "core" component by injecting a DLL that then downloads modules used to steal information from the computer, contains the communication layer, and perform other tasks.
Prior to this version, the TrickBot loader would perform a basic targeting of Windows Defender, soon to be called Microsoft Defender, by performing the following steps:
- Disable and then delete the WinDefend service.
- Terminates the MsMpEng.exe, MSASCuiL.exe, and MSASCui.exe processes.
- Adds the DisableAntiSpyware Windows policy and sets it to true to disable Windows Defender and possibly other software.
- Disables Windows Security notifications.
- Disables Windows Defender real-time protection.
SOURCE: https://www.bleepingcomputer.com/news/se...-defender/