JamesWT and Vitali Kremez: GootKit is evolving, now it can bypass Windows Defender. It can be excluded from being scanned thanks to a UAC bypass and WMIC commands
GootKit can bypass Windows Defender by setting path exclusions. It has been discovered by JamesWT and Vitali Kremez cyber security experts. It does thanks to a UAC bypass and WMIC commands to exclude the malware executable from being scanned by WD Antivirus. The banking trojan first checks if Windows Defender is enabled. In this case, it executes a command that creates Registry values that will be executed as part of a UAC bypass. After that, WD no longer scan the path where the executable is located. Finally, it confirms that the bypass was enabled with a WMIC command, that returns a list of preferences that can be used to determine if the AV is active. With this exclusion in place, even if Microsoft starts detecting the particular cybercrime malware sample in the future, its path will be excluded and will not be detected by the security software.
Gootkit is the last malware being updated by cybercrime to bypass Windows Defender. Bleeping Computer cyber security magazine: In July, TrickBot banking trojan had started executing PowerShell commands to disable WD’s functionality and to evade detection
According to Bleeping Computer, GootKit is not the only malware stepping up their game to evade Windows Defender. In July, cyber security magazine reported that TrickBot banking trojan had started executing PowerShell commands to disable WD’s functionality and to evade detection. As the Microsoft software is improved and becomes tightly integrated into Windows 10, in fact, cybercrime authors are creating techniques to evade its detection, that are added to their malicious codes. GootKit is hitting worldwide with male-am campaigns to spread the banking trojan, usually with the lure of invoices. The payload is traditionally hidden in a malicious attachment, masqueraded as an Office document or a zipped file. GootKit is a trojan that steals confidential information. It also opens a back door and downloads additional files on to the compromised computer.