According to a report from BleedingComputer, bad actors have used the GootKit banking Trojan that help malware evade Windows Defender. GootKit uses a UAC bypass and WMIC commands to help executable malware remain undetected by Microsoft’s antivirus tool. If you are unfamiliar with GootKit, it is a Trojan that infiltrates a system and tries to lift online banking details. This is achieved through video capture and by redirecting unwitting users to fake banking websites. Malware and security researcher Vitali Kremez analyzed a GootKit sample and found the Trojan is being used in efforts to thwart Windows Defender. By leveraging GootKit, hackers are managing to hide malware from system defense scans.
Attack Method
Kremez sent code to BleedingComputer that shows how the Trojan will check for Windows Defender before issuing its command: WMIC /Node:localhost /Namespace:\root\SecurityCenter2 Path AntiVirusProduct Get displayName,productState /format:list If the Trojan detects Defender is enabled the malware will a command that can infiltrate the system and avoid detection. BleedingComputer details the path the command takes: Once this malware patch is executed, Windows Defender will not be able to scan the path and spot the attack. It will be interesting to see what Microsoft’s reaction to this research is. The company has done a lot to make Windows Defender a robust antivirus tool that is deeply integrated with Windows. With hackers also upping their game, we guess Redmond will be quick to respond.