TrickBot Uses a New Windows 10 UAC Bypass to Launch Quietly

TrickBot has switched up its privilege escalation game, and is not leveraging a Windows 10 security vulnerability to do so without showing the normal UAC prompt users expect:

This week, ReaQta discovered that TrickBot has now switched to a different UAC bypass that utilizes the Wsreset.exe program.

Wsreset.exe is a legitimate Windows program used to reset the Windows Store cache.

When executed, Wsreset.exe will read a command from the default value of the HKCU\Software\Classes\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\Shell\open\command key and execute it.

When executing the command it will not display a UAC prompt and users will have no idea that a program has been executed.

TrickBot is now exploiting this UAC bypass to launch itself with elevated privileges, but without the logged in Windows user being notified by a UAC prompt.

TrickBot is particularly evil because it, along with Emotet, is used for deploying the highly evil Ryuk ransomware. If you are into technical details, this analysis of TrickBot using the Wsreset.exe UAC bypass by MorphiSec is a great read.

Laughably Unsophisticated Mac Malware

Major malware infections on macOS are quite rare but the operating system is, by no means, immune to what Windows users have had to endure for decades. Over the last two years macOS users have been pestered by Shlayer and all the pirated videos it promises to provide the unsuspecting victim:

An analysis Kaspersky Lab published on Thursday says that Shlayer is “a rather ordinary piece of malware” that, except for a recent variant based on a Python script, was built on Bash commands. Under the hood, the workflow for all versions is similar: they collect IDs and system versions and, based on that information, download and execute a file. The download is then deleted to remote traces of an infection. Shlayer also uses curl with the combination of options -f0L, which Thursday’s post said “is basically the calling card of the entire family.”

Another banal detail about Shlayer is its previously mentioned infected method. It’s seeded in links that promise pirated versions of commercial software, episodes of TV shows, or live feeds of sports matches. Once users click, they receive a notice that they should install a Flash update. Never mind that Flash has been effectively deprecated for years and that platforms offering warez and pirated content are a known breeding ground for malware.

Unless you have good self control, good web browsing hygiene, and common sense, stay away from web sites offering pirated content. Is that one free pirated movie worth all the work to rebuild your computer after it gets infected with some malware it should never have in the first place?