Security News > 2023 > March > Old Windows ‘Mock Folders’ UAC bypass used to drop malware

Old Windows ‘Mock Folders’ UAC bypass used to drop malware
2023-03-06 21:34

A new phishing campaign targets organizations in Eastern European countries with the Remcos RAT malware with aid from an old Windows User Account Control bypass discovered over two years ago.

The use of mock trusted directories to bypass Windows User Account Control stands out in the attack as it's been known since 2020 but remains effective today.

Before loading Remcos RAT, DBatLoader creates and executes a Windows batch script to abuse a Windows UAC bypassing method documented in 2020.

The method, first demonstrated on Windows 10 by security researcher Daniel Gebert, involves using a combination of DLL hijacking and mock trusted directories to bypass UAC and run malicious code without prompting the user.

Windows UAC is a protection mechanism that Microsoft introduced in Windows Vista, asking users to confirm the execution of high-risk applications.

"Easinvoker.exe is an auto-elevated executable, meaning that Windows automatically elevates this process without issuing a UAC prompt if located in a trusted directory - the mock %SystemRoot%System32 directory ensures this criteria is fulfilled."


News URL

https://www.bleepingcomputer.com/news/security/old-windows-mock-folders-uac-bypass-used-to-drop-malware/