Old Windows ‘Mock Folders’ UAC bypass used to drop malware

A new phishing campaign targets organizations in Eastern European countries with the Remcos RAT malware with aid from an old Windows User Account Control bypass discovered over two years ago.

The use of mock trusted directories to bypass Windows User Account Control stands out in the attack as it’s been known since 2020 but remains effective today.

The latest Remcos campaign was observed and analyzed by SentinelOne researchers, who documented their findings in a report published today.

It starts with a fake invoice

The phishing campaign emails are sent from top-level domains that match the recipient’s country and are typically masked as invoices, tender documentation, and other financial documents.

The emails don’t contain much text other than what is required to point the recipient’s attention to the attachment, a tar.lz archive containing the DBatLoader executable.

Sample email from the campaign
Sample email from the campaign (SentinelOne)

Such an unusual choice of file format reduces the chances of the victims successfully opening the attachment but also helps in evading detection from antivirus software and email security tools.

The first stage payload of the malware loader is disguised as a Microsoft Office, LibreOffice, or PDF document using double extensions and app icons to trick the victim into opening it.

Upon launching the malware loader, a second-stage payload is fetched from a public cloud service, such as Microsoft OneDrive or Google Drive.

Sentinel One reports that in one case, the cloud service was abused for hosting DBatLoader for over a month, although it’s not clear if the threat actors used their own or a compromised account with a clean history.

Abusing mock “trusted” folders

Before loading Remcos RAT, DBatLoader creates and executes a Windows batch script to abuse a Windows UAC bypassing method documented in 2020.

The method, first demonstrated on Windows 10 by security researcher Daniel Gebert, involves using a  to bypass UAC and run malicious code without prompting the user.

Windows UAC is a protection mechanism that Microsoft introduced in Windows Vista, asking users to confirm the execution of high-risk applications.

Some folders, such as C:WindowsSystem32, are trusted by Windows, allowing executables to auto-elevate without displaying a UAC prompt. 

A mock directory is an imitation directory with a trailing space. For example, the “C:WindowsSystem32” is a legitimate folder and is considered a trusted location in Windows. A mock directory would look like “C:Windows System32”, with an extra space after C:Windows. 

The problem is that some Windows programs, like File Explorer, treat “C:Windows” and “C:Windows ” as the same folder, thus tricking the operating system into thinking C:Windows System32 is a trusted folder and should have its files auto-elevate without a UAC prompt.

The script used by DBatLoader, in this case, creates mock trusted directories in the same way, creating a “C:Windows System32” folder and copying legitimate executables (“easinvoker.exe”) and malicious DLLs (“netutils.dll”) to it.

Script that executes the Windows UAC bypass
Script that executes the Windows UAC bypass (Sentinel One)

“easinvoker.exe is susceptible to DLL hijacking enabling the execution of the malicious netutils.dll in its context,”

“easinvoker.exe is an auto-elevated executable, meaning that Windows automatically elevates this process without issuing a UAC prompt if located in a trusted directory – the mock %SystemRoot%System32 directory ensures this criteria is fulfilled.”

The malware loader adds the malicious script (“KDECO.bat”) that hides in the DLL to Microsoft’s Defender exclusion list and then establishes persistence for Remcos by creating a new registry key.

Eventually, Remcos is executed through process injection, configured with keylogging and screenshot-snapping capabilities.

Remcos configuration
Remcos configuration (Sentinel One)

Sentinel One suggests that system administrators configure Windows UAC to “Always Notify,” albeit this might be too obstructive and noisy.

Admins should also monitor for suspicious file creations or process executions in trust filesystem paths with trailing spaces, especially folders containing the string “Windows”.