GootKit Malware Set Path Exclusions To Bypass Windows Defender


Windows Defender matches and integrated tightly into the operating system of Windows 10. New techniques are being created by malware writers to evade detection. Like the GoodKit banking Trojan that uses WMIC commands and UAC bypass exclude malware executable from scanning the Windows Defender antivirus.

GoodKit is created with an attempt to steal the credentials of online banking of infected users. This banking Trojan steals via video capture and redirecting users to fake banking websites that are solely under the control of the attackers. The most interesting part of this project infection is that it uses the Node JS application packaged in an executable form.

A GoodKit sample has been recently found by Mr. JamesWT. After thorough analyzing, reverse engineer and malware researcher Mr. Vitali Kremez found the dispersion attempts to bypass detections by the Windows Defender, excluding the part of malware from scanning.

According to the code by Vitali Kremez, GootKit initially checks if the Windows Defender is properly enabled by setting the following command:

WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName,productState /format:list

If it is found to be enabled, then the malware will execute a specific command that generates the Registry values, executed as a portion of the UAC bypass via C:\Windows\system32\fodhelper.exe executable.

The following steps will be performed after the execution of the above command:

  • Develop the HKCU\\Software\\Classes\\ms-settings\\shell\\open\\command “DelegateExecute”=0 value, that is essential for the bypass.
  • Generate the HKCU\\Software\\Classes\\ms-settings\\shell\\open\\command value so that it can point out to a certain command, which whitelists the executable paths of malware. This is executed by using the following command:

WMIC /Namespace:\\root\Microsoft\Windows\Defender class MSFT_MpPreference call Add ExclusionPath=\”‘ + excludeDir + ‘\”.

  • Now, you need to give the command C:\Windows\System32\fodhelper.exe. This is further carry out the WMIC command without displaying UAC prompt.
  • The loopback address will be pinged 7 times for generating a delay.
  • Lastly, with WMIC command, it will delete the value from the Registry

Here, the executable location path will no longer be scanned by Windows Defender.

Now, GoodKit will confirm the bypass was enabled by executing the following command:

WMIC /Node:localhost /Namespace:\\root\Microsoft\Windows\Defender Path MSFT_MpPreference Get * /format:list | findstr /i “DisableRealtimeMonitoring ExclusionPath ExclusionProcess MAPSReporting SubmitSamplesConsent”

GoodKit Trojan is not the only one stepping up to event the improved version of Microsoft’s Windows Defender antivirus. We reported in the month of July that TrickBot started executing the commands of PowerShell to disable the functionality of Windows Defender and evade the detection.