User Account Control (UAC) is one of the security measures introduced by Microsoft to prevent malicious software from executing without the user’s knowledge. However, modern malware has found effective ways to bypass this barrier and ensure silent deployment on the host device. Here are three methods commonly found in malware samples uploaded to ANY.RUN’s public submissions database.
What is User Account Control?
User Account Control (UAC) works by prompting the user for permission before performing certain tasks that require administrative-level access. This way, even if a user is logged in with an administrator account, they are notified about the potential risks of the task they are about to perform. The prompt typically includes a message describing the action that will be taken, the name of the program or user requesting access, and options to allow or cancel the action.
How Malware Dodges UAC
COM Interface Exploitation
The Component Object Model (COM) is a binary interface standard for software components and a fundamental part of Windows operating systems, as many of their features are built on it. COM provides a consistent way for applications to communicate with each other and with the OS.
Malware can exploit COM by taking advantage of certain objects that have the “Elevation – Enable – 1” entry in the Windows registry. This entry allows the object to run with administrator privileges, bypassing the UAC prompt. This can be a serious security vulnerability, as it allows malicious software to perform actions that would normally require the user’s explicit permission.
Some of the vulnerable COM objects include:
- cmstplua.dll
- colorui.dll
- wscui.cpl
Example:
Thanks to Threat Intelligence Lookup, we can easily find malware samples that circumvent UAC. Let’s locate threats using cmstplua.dll.
To do this, we simply need to submit the following query, which includes the process’s ID related to cmstplua.dll.
Get ANY.RUN’s special offers, until May 31, you can get 6 months of free service or extra licenses for team members. Learn more and sign up for free.
The service responds with a hundred different malware analysis sessions launched in the ANY.RUN sandbox, each mentioning the item we specified in our query.
We can click on any of these sessions to study them in-depth.
For instance, here is a session featuring a sample of the Formbook malware that utilized cmstplua.dll to sidestep UAC.
After opening the sandbox session, we can explore additional details of the attack, such as the Tactics, Techniques, and Procedures (TTPs) used by the malware and its indicators of compromise.
Registry Modification
Another method for bypassing UAC relies on modifying the Windows registry’s ms-settings keys. Some programs on Windows run with elevated privileges by default. One of them is fodhelper that, when executing, at first attempts to access a non-existent registry entry, HKCUClassesms-settingsshellopencommand, before passing on to the next one, HKCRshellopencommand that does exist.
Attackers may leverage this by creating and modifying the first registry entry, which does not require administrative privileges. Thus, they can hijack the registry and ensure the malware initiates without a UAC prompt being shown to the user.
Example:
Here is a sandbox analysis session of the BlankGrabber malware that employs this method of avoiding showing the UAC prompt.
Infinite UAC Prompt Loop
In this method, the user is shown the UAC prompt once again each time they attempt to close it. The intention here is to force the potential victim into agreeing to run the application to remove the window. Yet, as soon as they agree, the malware starts executing on their system.
Example:
Check out this analysis session featuring the Dcrat malware that relies on the prompt loop to gain its foothold on the system.