A new variant uses a bypass called a fodhelper. A legitimate Windows file is used. It is supposed to help users to run certain programs even without administrator rights.
The Trickbot Trojan and Windows 10
The Trojan TrickBot is now able to bypass Windows 10 security functions using a process that is supposed to help Windows 10 users to run programs without administrator rights. The Trojan keeps learning. The Trojan can now bypass user account control (UAC) and how it can go unnoticed by the user. Undetected means that the trojan can gain admin rights without the user receiving visible prompts.The whole thing is based on the Windows 10 Fodhelper process, which is there to run programs without administrator rights. TrickBot is also programmed to first check which OS is on and then to start a bypass that works accordingly. In addition to the Fodhelper bypass for Windows 10, the bypass for Windows 7 is also known. Both workarounds have been known for years.
The Trojan bypasses user account control with the help of the Fodhelper UAC Bypass comes from the legitimate Microsoft tool fodhelper.exe, which is located in the Windows \ System32 folder. It allows other programs to be run without administrator rights. Fodhelper-exe is a trusted Windows 10 file that TrickBot uses to run malicious code using the registry method while bypassing user account control. Since Windows 10 fodhelper classifies trustworthily, an automatic extension of user rights is possible without the user account control intervening. There is also no request for programs that are started by Fodhelper.
TrickBot takes advantage of this part. Since there is no warning from the user account control, users are also unable to recognize that malware is running on their computer. Examples are the banking Trojan Rootkit, which also uses the Fodhelper bypass. TrickBot has been trying to turn off various Windows Defender scan options since July 2019.TrickBot made the headlines last July as the Trojan tried to bypass Windows Defender by disabling various scanning options. With the new trick, additional security functions are eliminated.