{
	"id": "14fb147a-3676-4259-a0f8-791715635bea",
	"created_at": "2026-04-06T01:29:03.047088Z",
	"updated_at": "2026-04-10T03:21:59.845203Z",
	"deleted_at": null,
	"sha1_hash": "3f731d59fec875820c45bf53857e22bd2bd251ae",
	"title": "Malicious Macro Bypasses UAC to Elevate Privilege for Fareit Malware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 894460,
	"plain_text": "Malicious Macro Bypasses UAC to Elevate Privilege for Fareit\r\nMalware\r\nBy Joie Salvio and Rommel Joven\r\nPublished: 2016-12-16 · Archived: 2026-04-06 01:19:36 UTC\r\nTo survive, Macro downloaders have to constantly develop new techniques for evading sandbox environments and\r\nanti-virus applications. Recently, Fortinet spotted a malicious document macro designed to bypass Microsoft\r\nWindows’ UAC security and execute Fareit, an information stealing malware, with high system privilege.\r\nSPAM\r\nThis malicious document is distributed by a SPAM email.  As part of its social engineering, strategy it is presented\r\nin the context of someone being interested in a product.\r\nhttps://blog.fortinet.com/2016/12/16/malicious-macro-bypasses-uac-to-elevate-privilege-for-fareit-malware\r\nPage 1 of 6\n\nFig.1 SPAM with the malicious document\r\nAs usual, when the document is opened the targeted victim is instructed to enable Microsoft Word’s macro\r\nexecution. In doing so, the malicious macro executes in the background.\r\nFig.2 Malicious document instructs user to allow macro\r\nThe macro uses simple obfuscation by inserting garbage characters into real strings.\r\nhttps://blog.fortinet.com/2016/12/16/malicious-macro-bypasses-uac-to-elevate-privilege-for-fareit-malware\r\nPage 2 of 6\n\nFig.3 Function to remove the garbage characters\r\nHere is an example:\r\nARcAm4YdAJ.JZe4xReJ R/RcJY 6Ap64oA6wYeAJrZZsYJhAAe4lRl …\r\nBelow is the full shell command executed by the macro:\r\nIt’s common behavior for a malicious document macro to download and execute malware. However, what’s\r\ninteresting with this attack is that it executes the Fareit malware (sick.exe) with “High” privilege. In a default\r\nUAC setting, it should not be possible to do this without the UAC permission prompt popping up. Bypassing that\r\nsetting has everything to do with the executed Windows native application, eventvwr.exe.\r\nFig.4 Macro executes Event Viewer and Fareit (sick.exe)\r\nUAC Bypass and Privilege Escalation\r\nAn application running with high privilege in the system means access to more resources that would otherwise be\r\ninaccessible if running with lower privilege. In terms of malware, this means more data that can be stolen and\r\nmore changes that can be done to the system.\r\nUAC is a security feature that prevents an application from executing with higher privileges without the user’s\r\npermission. It is also a very convenient feature that allows users to perform non-administrator and administrator\r\ntasks without switching users.\r\nTo understand the shell command, let’s divide it into four sections.\r\nhttps://blog.fortinet.com/2016/12/16/malicious-macro-bypasses-uac-to-elevate-privilege-for-fareit-malware\r\nPage 3 of 6\n\nThe first section simply downloads the Fareit malware and drops it as %TEMP%\\sick.exe.\r\nCommand:\r\nFig.5 Network log of the malware download\r\nThe second section is where it starts to get really interesting. The malware adds the following entry to the registry:\r\nKey: HKCU\\Software\\Classes\\mscfile\\shell\\open\\command\\\r\n(default): %temp%\\sick.exe\r\nCommand:\r\nreg add HKCU\\Software\\Classes\\mscfile\\shell\\open\\command /d %tmp%\\sick.exe /f\r\nFig. 6 Malware modifies the registry related to opening .msc files\r\nHKCU\\Software\\Classes\\ contains registry entries that dictate the default software to be used when opening files\r\nbased on file types. Adding the above malware registry means it will execute every time an mscfile (.msc) is\r\nopened. But there is a more important reason for changing this registry.\r\nLet’s take a look at the third section of the command. After modifying the registry, it executes Microsoft’s Event\r\nViewer application, a tool used to view application and system logs for monitoring and troubleshooting.\r\nCommand:\r\nC:\\Windows\\system32\\eventvwr.exe \u0026 PING -n 15 127.0.0.1\u003enul\r\nhttps://blog.fortinet.com/2016/12/16/malicious-macro-bypasses-uac-to-elevate-privilege-for-fareit-malware\r\nPage 4 of 6\n\nEvent Viewer needs to execute the Microsoft Management Console (mmc.exe) to work. MMC is a tool that serves\r\nas an interface for Windows administrative tools. But first, it needs to locate mmc.exe. The application does this\r\nby querying HKCU\\Software\\Classes\\mscfile\\shell\\open\\command\\ and HKCR\\mscfile\\shell\\open\\command\\, in\r\nthat order. However, we now know that the malicious macro has already added the path of the downloaded Fareit\r\nmalware to the former, which means that the malware will be executed instead of MMC.\r\nNow, it is very important to note that Event Viewer has an auto-elevate parameter. This means it does not need\r\nUAC permission to execute in a high privilege. This also means that any child process, Fareit malware in this\r\ncase, executed by this application will have the same high privilege.\r\nThe main problem is that a high-privilege Windows native application (eventvwr.exe) bases its parameters or\r\ndependency on system artifacts that can be easily modified by a process with a lower privilege.\r\nDiscovery and detailed analysis of this recent UAC bypass technique was posted by enigma0x3 here only a few\r\nmonths ago.\r\nThe fourth section of the command simply executes the Fareit malware again. This may just be a fail-safe\r\nmechanism in case the attempt to execute it in high privilege does not work.\r\nCommand:\r\n%tmp%\\sick.exe\r\nConclusion\r\nMacro malware attacks have been around for a long time, mainly because they are very effective at social\r\nengineering schemes. Over time, they have become more aggressive and creative in evading detections for\r\nthemselves and their payloads, and this current example is another advance development that we will surely start\r\nto see in other variants.\r\nIt was not long ago when security researchers presented a POC of this UAC bypass. Sharing this kind of\r\ninformation to the public always has its pros and cons. For the security community, it can serve as a good heads-up to plan and mitigate its bad effects. However, as the good guys become aware of it, there’s a good chance that\r\nthe bad guys are aware of it too.\r\nIn summary, then, here are a few simple security measures that can be implemented to mitigate these sorts of\r\nattacks:\r\nDisable execution of Macros, if not in use\r\nChange the default setting of UAC to “Always Notify”\r\nBe vigilant on opening emails and documents from unknown sources\r\n-= FortiGuardLion Team =-\r\nSamples (SHA256)\r\n2e4a232753459ee64adfa1931d1bae5f3128e70918027c230c7da93aad69889b (sick.exe) - W32/Fareit.CIBX!tr.pws\r\nhttps://blog.fortinet.com/2016/12/16/malicious-macro-bypasses-uac-to-elevate-privilege-for-fareit-malware\r\nPage 5 of 6\n\n6dd7f947258458646153c414e0861c7257b794af5f03d37e0e9dc38e2c7126cf (scan002939110.doc) -\r\nWM/Fareit.UAC!tr.dldr\r\nd503aaa145be93e23e0e2d9a19ca89c9efd9729513d30f9be11db174c8ed6a9c(scan002939110.doc) -\r\nWM/Fareit.UAC!tr.dldr\r\nIOC\r\nAdded Registry:\r\nKey: HKCU\\Software\\Classes\\mscfile\\shell\\open\\command\\\r\n(default): %temp%\\sick.exe\r\nAdded File:\r\n                  %temp%\\sick.exe\r\nNetwork Connections:\r\n                  http[:]//hawkresultbox[.]net/logs/sick.exe\r\n                  http[:]//hawkresultbox[.]net/code/nam/gate.php\r\nhttp[:]//hawkresultbox[.]net/code/nam/shit.exe\r\nSource: https://blog.fortinet.com/2016/12/16/malicious-macro-bypasses-uac-to-elevate-privilege-for-fareit-malware\r\nhttps://blog.fortinet.com/2016/12/16/malicious-macro-bypasses-uac-to-elevate-privilege-for-fareit-malware\r\nPage 6 of 6\n\nViewer application, Command: a tool used to view application and system logs for monitoring and troubleshooting.\nC:\\Windows\\system32\\eventvwr.exe \u0026 PING-n 15 127.0.0.1\u003enul\n  Page 4 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://blog.fortinet.com/2016/12/16/malicious-macro-bypasses-uac-to-elevate-privilege-for-fareit-malware"
	],
	"report_names": [
		"malicious-macro-bypasses-uac-to-elevate-privilege-for-fareit-malware"
	],
	"threat_actors": [],
	"ts_created_at": 1775438943,
	"ts_updated_at": 1775791319,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3f731d59fec875820c45bf53857e22bd2bd251ae.pdf",
		"text": "https://archive.orkl.eu/3f731d59fec875820c45bf53857e22bd2bd251ae.txt",
		"img": "https://archive.orkl.eu/3f731d59fec875820c45bf53857e22bd2bd251ae.jpg"
	}
}