This post is here to inform you of the fact that stealthy banking Trojan Trickbot now can disable the Windows built-in anti-virus software Windows Defender. Check out this post more for more information.
What Is Trickbot
This is not this first time we heard of Trickbot. Trickbot is a particularly stealthy banking Trojan which has existed since 2016. Since then, it has been thought to have leaked at least 250 million e-mail accounts in order to distribute malware payload. The payload includes the stealing of online banking credentials and cryptocurrency wallets.
As far as trickbot attacks are concerned, Microsoft has always been at the forefront and the center, and weaponized Word and Excel files are a popular method. The latest campaign targets Windows 10 users and implements a highly detailed and convincing Office 365 page, but it is still fake to prompt users to update and install the Trojan Horse’s own browser.
The latest change in the Bank Trojan knife that Windows 10 users are concerned is the addition of a new method that can not only evade but also actually disable Windows Defender security protection.
Trickbot Disables Windows Defender
Now Trickbot is becoming one of the more dangerous Trojans as it targets Windows 10 users who completely rely on Windows Defender to protect their machines from malware threats.
Lots of sophisticated malware seen across the years use various methodologies to evade detection by security program and so prevent being neutered.
However, trickbot is becoming more sophisticated and powerful nowadays. It not only detects Windows Defender but also uses no less than 17 steps to try to completely disable it.
It attempts to disable and delete WinDefend services, terminate processes associated with Windows Defender, adds Windows policies to disable Windows Defender, disable Windows Defender real-time protection and disable security notifications.
However, they are not satisfied with this, as the research team of Trickbot Trojan has now added more steps in their attempt to prevent Windows Defender from protecting Windows 10 users from this threat.
Is there any way to stop the Trickbot?
How to Stop the Trickbot?
Block Access to the Windows Registry
An ethical hacker John Opdenakker points out that the general best fix is to block access to Windows Registry. And make sure that users don’t have admin rights by default make for good mitigation advice.
However, Opdenakker also adds that it certainly depends on the advanced level of the particular malware. For Trickbot, it appears to perform an upgrade to gain higher system privileges.
Use App Locker
AppLocker is included in Windows 10, but it seems to be rarely used by ordinary users. AppLocker helps you limit which applications and files users can run. These include executable files, scripts, Windows Installer files, dynamic link libraries (DLL), packaged applications and packaged application installers.
Not many people use it and only allow authorized software to run on endpoints, but it is indeed a good way to defend Trickbot. Since AppLocker is installed and available on your computer, you can try using it to reduce the threat of malicious software such as Trickbot being introduced into your environment.
Windows Tamper Protection
Windows 10’s May 2019 Update brings a new “tamper protection” feature to Windows Security. Windows Tamper Protection prevents attempts to modify Windows Defender settings through the registry and it is turned on by default. This should prevent most of the new steps used by Trickbot from taking effect.
It does not really bypass tamper protection on Windows 10, which means that as long as the tamper protection is not disabled, users on Windows 10 should be relatively safe as Windows Defender will not be disabled so easily.”
However, TrickBot has more persistence methods to keep it undetected, so this should not be considered a pass for Windows 10 users. Those who have disabled tamper protection to avoid conflicts with third-party security applications are certainly at risk. So we recommend that you can this option on all your Windows 10 PCs at all the time.