TrickBot Uses a New Windows 10 UAC Bypass to Launch Quietly

TrickBot has switched up its privilege escalation game, and is not leveraging a Windows 10 security vulnerability to do so without showing the normal UAC prompt users expect:

This week, ReaQta discovered that TrickBot has now switched to a different UAC bypass that utilizes the Wsreset.exe program.

Wsreset.exe is a legitimate Windows program used to reset the Windows Store cache.

When executed, Wsreset.exe will read a command from the default value of the HKCU\Software\Classes\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\Shell\open\command key and execute it.

When executing the command it will not display a UAC prompt and users will have no idea that a program has been executed.

TrickBot is now exploiting this UAC bypass to launch itself with elevated privileges, but without the logged in Windows user being notified by a UAC prompt.

TrickBot is particularly evil because it, along with Emotet, is used for deploying the highly evil Ryuk ransomware. If you are into technical details, this analysis of TrickBot using the Wsreset.exe UAC bypass by MorphiSec is a great read.