APT group TA505 Detected Using UAC Bypass Techniques in the Latest Iteration of Their Malware Payloads.

Russian APT group TA505 has recently been detected deploying malware on vulnerable systems which takes advantage of a User Account Control (UAC) bypass technique that Tenable researcher David Wells blogged about last year. Deployment of the malware in question requires that an attacker has already breached an organization’s defenses in some other unrelated way before the payload can be dropped onto vulnerable assets and executed.

Once an attacker has found their way onto a windows machine within their target’s environment, the malicious executable takes advantage of the windows directory creation API that allows the malware to bypass Microsoft’s naming restriction on directories. The malware then creates a directory with the same name as a default Windows system directory with a trailing space (normally not allowed) and Windows will execute programs from that directory with system permissions, thereby ignoring UAC, leaving the affected user unaware of the intrusion.

Tenable customers can detect these malicious directories by scanning with plugin 88960, which will flag directories which are suspiciously created in system filepaths.