Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Cyber Crime

BKDR_VAWTRAK malware uses Windows feature to defend itself

The malware specialists at Trend Micro noticed that malicious agent BKDR_VAWTRAK is abusing a Windows feature SRP to prevent victims’ defense systems. Experts at Trend Micro have discovered that Japanese Internet users are being infected by a trojan, dubbed BKDR_VAWTRAK, which uses Windows to try to defeat security software on infected machines. Like many other […]

BKDR_VAWTRAK malware uses Windows feature to defend itself

The malware specialists at Trend Micro noticed that malicious agent BKDR_VAWTRAK is abusing a Windows feature SRP to prevent victims’ defense systems.

Experts at Trend Micro have discovered that Japanese Internet users are being infected by a trojan, dubbed BKDR_VAWTRAK, which uses Windows to try to defeat security software on infected machines. Like many other banking malware BKDR_VAWTRAK has data stealing capability focused on victim’s online banking credentials at some Japanese banks.

The malware specialists at Trend Micro noticed that malicious agent is abusing a Windows feature called Software Restriction Policies (SRP) to prevent victims’ systems from running a wide range of security programs, including antivirus software from  Trend Micro, ESET, AVG Symantec, Microsoft, Intel and many others for a total of 53 different applications. There are different ways to identify the application which can run on a system, for example by cryptographic hash, digital signature, their download source, or simply their path on the system.

BKDR_VAWTRAK is using the path on the system to discriminate the applications.

“The particular feature used by VAWTRAK to disable security software is known as Software Restriction Policies. It was first introduced in Windows® XP and Server 2003.” “There are several methods that can be used to identify which files are blocked from running on a system. In the case of VAWTRAK, it uses the path where the applications are installed to determine if they should be blocked or not. It looks for the following directories under the %Program Files% and %All Users Profile%\Application folder, which are used by various security products”  reports the blog post published by Trend Micro.

The BKDR_VAWTRAK malware search for directories related to the process to block, if it finds them it adds the following registry entries to force applications in that directory to run with restricted privileges:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\Paths\{generated GUID for the AV software} ItemData = “{AV software path}” SaferFlags = “0”

“As a result, any file under the said directory would not run, returning the following error message:”

VAWTRAK malware

The Software Restriction Policies (SRP) are intended to give corporate administrators the control over the software that the machines can run, administrators can easily manage the application with application blacklists.

“Software Restriction Policies (SRP) is Group Policy-based feature that identifies software programs running on computers in a domain, and controls the ability of those programs to run. Software restriction policies are part of the Microsoft security and management strategy to assist enterprises in increasing the reliability, integrity, and manageability of their computers.”

This is a very interesting case because is the demonstration of the capabilities of the author of malware which succeeded to benefit of a feature implemented by an OS to defend the machine from malicious code.

As confirmed by the experts, this isn’t the first malware to use a similar technique against defense software, it’s significant because BKDR_VAWTRAK has hit Japanese users.

Pierluigi Paganini

(Security Affairs –  DDoS, Zeus)