# TrickBot Now Uses a Windows 10 UAC Bypass to Evade Detection **[bleepingcomputer.com/news/security/trickbot-now-uses-a-windows-10-uac-bypass-to-evade-detection/](https://www.bleepingcomputer.com/news/security/trickbot-now-uses-a-windows-10-uac-bypass-to-evade-detection/)** Lawrence Abrams By [Lawrence Abrams](https://www.bleepingcomputer.com/author/lawrence-abrams/) January 16, 2020 04:00 PM 7 The TrickBot Trojan has received an update that adds a UAC bypass targeting the Windows 10 operating system so that it infects users without displaying any visible prompts. A UAC bypass allows programs to be launched without displaying a User Account Control prompt that asks users to allow a program to run with administrative privileges. ----- **Example of UAC prompt** [In a new TrickBot sample, Head of SentinelLabs Vitali Kremez discovered that the trojan is](https://twitter.com/VK_Intel) now using the Windows 10 Fodhelper bypass. ## Using Windows 10 UAC bypass When executed, TrickBot will check if the operating system is Windows 7 or Windows 10. [If it is Windows 7, TrickBot will utilize the CMSTPLUA UAC bypass and if Windows 10, will](https://msitpros.com/?p=3960) now use the [Fodhelper UAC Bypass.](https://www.bleepingcomputer.com/news/security/windows-10-uac-bypass-uses-apps-and-features-utility/) The Fodhelper bypass was discovered in 2017 and uses the legitimate Microsoft C:\Windows\system32\fodhelper.exe executable to execute other programs with administrative privileges. "Fodhelper.exe is a trusted binary on Windows 10 that TrickBot uses to execute the malware stage bypassing UAC via the registry method," Kremez told BleepingComputer in a conversation. When properly configured, when executed Fodhelper will also launch any command stored in the default value of the HKCU\Software\Classes\ms-settings\shell\open\command key. As Fodhelper is a trusted Windows executable, it allows auto-elevation without displaying a UAC prompt. Any programs that it executes will be executed without showing a UAC prompt as well. TrickBot utilizes this bypass to launch itself without a warning to the user and thus evading detection by the user. ----- **Command executed by the Fodhelper UAC bypass** As more users move to Windows 10 and as Windows Defender matures, more malware has begun to target the operating system and its security features. In September 2019 we reported how the GootKit banking Trojan also added the Fodhelper bypass in 2019 to execute a command that whitelists the malware executable's path in Windows Defender. In July 2019, TrickBot also targeted Windows Defender by trying to disable various scan options. With the inclusion of Fodhelper, we continue to see the malware developers attempt to reduce the security features found in Windows 10. ### Related Articles: [Emergency Windows 10 updates fix Microsoft Store app issues](https://www.bleepingcomputer.com/news/microsoft/emergency-windows-10-updates-fix-microsoft-store-app-issues/) [Microsoft emergency updates fix Windows AD authentication issues](https://www.bleepingcomputer.com/news/microsoft/microsoft-emergency-updates-fix-windows-ad-authentication-issues/) [Windows admins frustrated by Quick Assist moving to Microsoft Store](https://www.bleepingcomputer.com/news/microsoft/windows-admins-frustrated-by-quick-assist-moving-to-microsoft-store/) [Microsoft: Windows 10 20H2 has reached end of service](https://www.bleepingcomputer.com/news/microsoft/microsoft-windows-10-20h2-has-reached-end-of-service/) [New stealthy Nerbian RAT malware spotted in ongoing attacks](https://www.bleepingcomputer.com/news/security/new-stealthy-nerbian-rat-malware-spotted-in-ongoing-attacks/) [Fodhelper](https://www.bleepingcomputer.com/tag/fodhelper/) [TrickBot](https://www.bleepingcomputer.com/tag/trickbot/) [Trojan](https://www.bleepingcomputer.com/tag/trojan/) [UAC Bypass](https://www.bleepingcomputer.com/tag/uac-bypass/) [Windows 10](https://www.bleepingcomputer.com/tag/windows-10/) ----- [Lawrence Abrams](https://www.bleepingcomputer.com/author/lawrence-abrams/) Lawrence Abrams is the owner and Editor in Chief of BleepingComputer.com. Lawrence's area of expertise includes Windows, malware removal, and computer forensics. Lawrence Abrams is a co-author of the Winternals Defragmentation, Recovery, and Administration Field Guide and the technical editor for Rootkits for Dummies. [Previous Article](https://www.bleepingcomputer.com/news/security/pocs-for-windows-cryptoapi-bug-are-out-show-real-life-exploit-risks/) [Next Article](https://www.bleepingcomputer.com/news/security/wordpress-plugin-bugs-let-hackers-wipe-or-takeover-your-site/) ### Comments [berite100 - 2 years ago](https://www.bleepingcomputer.com/forums/u/1053100/berite100/) any remediation? [Lawrence Abrams - 2 years ago](https://www.bleepingcomputer.com/author/lawrence-abrams/) No, unfortunately not. Microsoft does not give UAC bypasses much priority. ----- [DavidChipman - 2 years ago](https://www.bleepingcomputer.com/forums/u/1152088/davidchipman/) Here's hoping they might now? Or is that expecting too much? [RocketPak - 2 years ago](https://www.bleepingcomputer.com/forums/u/1132364/rocketpak/) Best thing you can do is crank UAC to up to the max setting. Then it will still pop up a UAC prompt even when windows trusted executable need admin privileges. [gabry89 - 2 years ago](https://www.bleepingcomputer.com/forums/u/1152168/gabry89/) You can set UAC to "Always Notify" and you should be safe from this bypass attack. EDIT: i'm too late :) ----- [ken_smon - 2 years ago](https://www.bleepingcomputer.com/forums/u/1120756/ken-smon/) The world: Windows in insecure Microsoft: OK, here's UAC Malware writer: Lets use fodhelper.exe to bypass it Microsoft: ... [Quadroodlesublimated - 2 years ago](https://www.bleepingcomputer.com/forums/u/1152286/quadroodlesublimated/) How do you set UAC to "Always Notify" ? Explain, step by step! also: MSFT itself does not reliably sign every piece of software it publishes. Why? If they can't even follow their own rules, then what's the point of UAC ? Am I getting this right? Is there something I should know? Post a Comment [Community Rules](https://www.bleepingcomputer.com/posting-guidelines/) You need to login in order to post a comment [Not a member yet? Register Now](https://www.bleepingcomputer.com/forums/index.php?app=core&module=global§ion=register) ### You may also like: -----