Security News > 2023 > March > Old Windows ‘Mock Folders’ UAC bypass used to drop malware
A new phishing campaign targets organizations in Eastern European countries with the Remcos RAT malware with aid from an old Windows User Account Control bypass discovered over two years ago.
The use of mock trusted directories to bypass Windows User Account Control stands out in the attack as it's been known since 2020 but remains effective today.
Before loading Remcos RAT, DBatLoader creates and executes a Windows batch script to abuse a Windows UAC bypassing method documented in 2020.
The method, first demonstrated on Windows 10 by security researcher Daniel Gebert, involves using a combination of DLL hijacking and mock trusted directories to bypass UAC and run malicious code without prompting the user.
Windows UAC is a protection mechanism that Microsoft introduced in Windows Vista, asking users to confirm the execution of high-risk applications.
"Easinvoker.exe is an auto-elevated executable, meaning that Windows automatically elevates this process without issuing a UAC prompt if located in a trusted directory - the mock %SystemRoot%System32 directory ensures this criteria is fulfilled."
News URL
Related news
- New Cross-Platform Malware 'Noodle RAT' Targets Windows and Linux Systems (source)
- Pakistan-linked Malware Campaign Evolves to Target Windows, Android, and macOS (source)
- New Rust-based Fickle Malware Uses PowerShell for UAC Bypass and Data Exfiltration (source)
- Snowblind malware abuses Android security feature to bypass security (source)
- Windows MSHTML zero-day used in malware attacks for over a year (source)
- Facebook ads for Windows desktop themes push info-stealing malware (source)
- PKfail Secure Boot bypass lets attackers install UEFI malware (source)