HomeWinBuzzer NewsMicrosoft Windows Defender Cannot Detect a New Malware Attack Based on the...

Microsoft Windows Defender Cannot Detect a New Malware Attack Based on the GootKit Trojan

Bad actors can bypass Windows Defender scanning features through an updated version of the GootKit banking Trojan.


often talks up as the only protection users need on . However, despite gaining more features as it matures, malware writers are adapting to escape detection.

According to a report from BleedingComputer, bad actors have used the GootKit banking Trojan that help malware evade Windows Defender. GootKit uses a UAC bypass and WMIC commands to help executable malware remain undetected by Microsoft's antivirus tool.

If you are unfamiliar with GootKit, it is a Trojan that infiltrates a system and tries to lift online banking details. This is achieved through video capture and by redirecting unwitting users to fake banking websites.

Malware and security researcher Vitali Kremez analyzed a GootKit sample and found the Trojan is being used in efforts to thwart Windows Defender. By leveraging GootKit, are managing to hide malware from system defense scans.

Attack Method

Kremez sent code to BleedingComputer that shows how the Trojan will check for Windows Defender before issuing its command:

WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName,productState /format:list

If the Trojan detects Defender is enabled the malware will a command that can infiltrate the system and avoid detection. BleedingComputer details the path the command takes:

  1. “Create the HKCU\\Software\\Classes\\ms-settings\\shell\\open\\command “DelegateExecute”=0 value, which is needed for the bypass.
  2. Create the HKCU\\Software\\Classes\\ms-settings\\shell\\open\\command value so it point to a command that whitelists the malware executables path. It does this using the command:
    WMIC /Namespace:\\root\Microsoft\Windows\Defender class MSFT_MpPreference call Add ExclusionPath=\”‘ + excludeDir + ‘\”.
  3. Executes the command C:\Windows\System32\fodhelper.exe, which will execute the WMIC command above without showing a UAC prompt.
  4. It will then ping the loopback address 7 times to create a delay.
  5. Finally it deletes the value with the WMIC command from the Registry.”

Once this malware patch is executed, Windows Defender will not be able to scan the path and spot the attack.

It will be interesting to see what Microsoft's reaction to this research is. The company has done a lot to make Windows Defender a robust antivirus tool that is deeply integrated with Windows. With hackers also upping their game, we guess Redmond will be quick to respond.

Luke Jones
Luke Jones
Luke has been writing about all things tech for more than five years. He is following Microsoft closely to bring you the latest news about Windows, Office, Azure, Skype, HoloLens and all the rest of their products.

Recent News