User Account Control is one of the security measures introduced by Microsoft to prevent malicious software from executing without the user's knowledge.
Modern malware has found effective ways to bypass this barrier and ensure silent deployment on the host device.
Here are three methods commonly found in malware samples uploaded to ANY.RUN's public submissions database.
User Account Control works by prompting the user for permission before performing certain tasks that require administrative-level access.
The prompt typically includes a message describing the action that will be taken, the name of the program or user requesting access, and options to allow or cancel the action.
The Component Object Model is a binary interface standard for software components and a fundamental part of Windows operating systems, as many of their features are built on it.
This entry allows the object to run with administrator privileges, bypassing the UAC prompt.
Thanks to Threat Intelligence Lookup, we can easily find malware samples that circumvent UAC. Let's locate threats using cmstplua.
The service responds with a hundred different malware analysis sessions launched in the ANY.RUN sandbox, each mentioning the item we specified in our query.
We can click on any of these sessions to study them in-depth.
Here is a session featuring a sample of the Formbook malware that utilized cmstplua.
Dll to sidestep UAC. After opening the sandbox session, we can explore additional details of the attack, such as the Tactics, Techniques, and Procedures used by the malware and its indicators of compromise.
Another method for bypassing UAC relies on modifying the Windows registry's ms-settings keys.
Some programs on Windows run with elevated privileges by default.
Attackers may leverage this by creating and modifying the first registry entry, which does not require administrative privileges.
Thus, they can hijack the registry and ensure the malware initiates without a UAC prompt being shown to the user.
Here is a sandbox analysis session of the BlankGrabber malware that employs this method of avoiding showing the UAC prompt.
In this method, the user is shown the UAC prompt once again each time they attempt to close it.
As soon as they agree, the malware starts executing on their system.
Check out this analysis session featuring the Dcrat malware that relies on the prompt loop to gain its foothold on the system.
This Cyber News was published on cybersecuritynews.com. Publication date: Tue, 28 May 2024 16:55:09 +0000