Photo by Christopher Beddies on Unsplash
Every week the AT&T Chief Security Office produces a series called ThreatTraq with helpful information and news commentary for InfoSec practitioners and researchers. I really enjoy them; you can subscribe to the Youtube channel to stay updated. This is a transcript of a recent feature on ThreatTraq. The video features Andy Benavides, Professional - Technology Security, AT&T, Stan Nurilov, Lead Member of Technical Staff, AT&T and Mike Klepper, Principal Architect, AT&T Cybersecurity Services. Mike has written blogs here in the past.
Andy: You can't defend what you can't scan. GootKit malware bypasses user access control (UAC).
Mike: So, Andy, I guess we're going to continue with the malware theme today with your story, right?
Andy: Yes, we're going to be talking about GootKit a little bit. G-O-O-T, Kit - it's kind of hard to say. But for those who don't know, GootKit is a banking Trojan whose goal is to steal your banking credentials, and it does that by recording your screen or by redirecting you to fake banking login pages. That's how it works.
A security researcher by the name of Vitali Kremez found that GootKit actually attacks Windows Defender by adding itself, by adding the directory that the malware lives in. It avoids detection by adding it to the scan exclusion list. So, it basically tells Windows Defender, "Don't scan this directory that my malware's in." And the key to doing that is through the use of the good old fodhelper.exe.
For those who don't know, fodhelper.exe is a Windows 10 management tool. It was found to allow UAC bypass in 2017 by a researcher by the name of Christian B. That's all that's known about him. Essentially, what happens is when an application wants to perform a task, because that requires administrative purposes, it brings up a prompt on your screen and it asks you for that permission. It says, "Hey, I want to do something as Admin." And you say yes or you say no. Bypassing that means that you can run things in the background as Admin without the user knowing. So that's kind of a big problem.
What Christian B. found was that fodhelper.exe actually runs with the auto-elevate attributes set to true, which means it can run itself with a higher privilege on its own when it deems it's necessary. Which means it can do things without bringing up that control prompt, letting the user know that something is happening in the background. What Christian B. was able to figure out was that the fodhelper.exe works by first checking for a few registry keys that strangely enough don't exist by default in Windows 10.
Stan: That's actually kind of normal.
Andy: Is it really?
Stan: Yes. That's how they do a lot of GPO policies later. They like to produce certain registry keys. And if you have them, then whatever, you can apply that setting.
Andy: Okay. So it checks for some registry keys that don't exist by default in Windows 10. When it finds those, then it does other things. What Christian B. was able to figure out is if you create the keys that it's looking for, one of the keys actually lets you dictate it and enter in further instructions on what to do when it's running. So essentially, what you can do is, not inject, but you could say, "Hey, open this application." And then it'll run with higher privileges, because that's fodhelper.exe runs as, you know, as...
Stan: It's a helper. What else would it do?
Andy: It's helping. Exactly.
Stan: Helps you get privileges.
Andy: Exactly. Now that we know what fodhelper.exe does, exactly how it works, let’s talk about GootKit a little bit more. The first thing GootKit does is checks to see that Windows Defender is actually enabled on the machine. If it is, it'll create those registry keys. And then with WMIC, it'll actually go in and it'll add the directory that the malware is going to be sitting in (or is sitting in) to that exclusion list so that it doesn't scan the file itself. And then it actually deletes the initial registry key for some cleanup, and then it is able to figure out if the bypass was successful.
Mike: A lot of malware needs to take those types of actions these days on an endpoint. I mean, doing penetration testing, I can tell you that Defender does tend to shut things down a lot better than it used to. That particular defense mechanism has really come a long way in the last several years. So trying to avoid antivirus or Defender are techniques every attacker has in their playbook, and their malware has to be able to do that. It’s certainly not surprising that malware is trying to do that - to find a way to sidestep that control. It's interesting the method that they've used to do it.
Stan: I'm surprised with the method...I'm not totally surprised that a method exists to bypass the UAC control, but I remember it being the mechanism that was supposed to help prevent some of these escalation items. You can become root when you need to, when you click Yes and Windows enforces that. So seeing a process being able to do that without the dialog is a little bit of a surprise to me. It's definitely something I want to look into some more. Thanks for bringing it to our attention.
Andy: But it's worth noting that, in order for this to work, the user has to be the Admin on the machine.
Stan: Right, to start with.
Andy: To start with. So a lot of folks are Admin on machines, whether they know it or not. So that's something.
Mike: It just points back to the general best practice that if you want tomitigate a lot of risk, you really need to operate that principle of least privilege across all users in your environment.
Stan: You want to make sure that you're on the lookout for your system acting abnormally. If you're using a product like Windows Defender or some other anti-virus product, make sure that it's enabled, it's not reporting any issues, it's not showing a warning icon, and that it's up to date. Periodically, review your software configuration to make sure that the things that are in a white list and things that don't get scanned are the items that you expect.