Trojan:Win32/Wacatac.H!ml is a detection of Microsoft Defender that may flag several different malware families. Once installed, it can deliver additional malicious payloads, manipulate system settings, and encrypt user data. On the other hand, it can sometimes be a false positive detection.
Trojan:Win32/Wacatac.H!ml Overview
Trojan:Win32/Wacatac.H!ml is a detection of Microsoft Defender that flags a wide range of malware, which share similar functionality. In particular, Wacatac.H!ml appears when there is a ransomware active in the system, or a dropper (loader) malware that is known to deploy ransomware. Nonetheless, such a dropper may deliver literally any other type of malicious program – from adware to spyware or backdoors.
Wacatac.H!ml often gets into the system when the user downloads or installs cracked programs, keygens or similar sketchy software. Sometimes, users are tricked into downloading the malware by disguising it as a legitimate file or software update. Right off the start, Wacatac.H!ml changes registry settings and system settings and masquerades as a benign process, to further proceed with downloading other malware. It hides its presence on the infected system through various means, such as code obfuscation and polymorphism.
The “ml” in Trojan:Win32/Wacatac.H!ml stands for machine learning, which means it may sometimes be a false positive, as evidenced by many reviews on the Internet. For example, Defender may flag a simple home application written in C++ as Trojan:Win32/Wacatac.H!ml. I will pay this a bit more attention later in the article.
Technical Analysis
It is not particularly hard to find a sample of Trojan:Win32/Wacatac.H!ml: dropper malware is a backbone of malware infrastructure these days. As I’ve already mentioned, dodgy apps or cracked games are the most widespread source of this virus. Still, to simplify the task, I have got a ready sample to work on.
Like the majority of dropper malware, before getting to actual execution, Wacatac.H!ml performs a check for a virtual environment or sandbox. It checks the following registry values:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\MaxSxSHashCount
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Office\16.0\CVH\VirtualProductInfo
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData
These keys contain system information that the malware uses to determine whether it is in a virtual environment or sandbox. Next, Trojan:Win32/Wacatac.H!ml collects some basic information about the system through the calls to SecurityHealthService and WMI:
C:\Windows\system32\SecurityHealthService.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
The data these queries return allow the malware to fingerprint the system – an essential thing for further activity. Depending on the system configuration, Wacatac.H!ml may deploy different malware samples. One more part of the fingerprinting is enumerating programs by checking mutexes present in the system.
A08D74470003000000006BC5_CACHEMUTEX
Global\552FFA80-3393-423d-8671-7BA046BB5906
Installing
Local\10MU_ACB10_S-1-5-5-0-182969
Local\10MU_ACBPIDS_S-1-5-5-0-182969
Local\2BF388D5-6F8C-40A0-A7EE-996D005C4E14_Office16
This is a rather unusual tactic that most likely aims at avoiding the usage of more common system calls that antivirus software may track. To make the detection even harder, Wacatac deletes the following registry keys to hide traces of its activity:
HKEY_CURRENT_USER\Control Panel\MMCPL\mlcfg32.cpl
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib\Updating
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Outlook\Performance\Disable Performance Counters
Payload Execution
Next, Wacatac.H!ml performs its primary function of deploying the payload. It uses an encrypted connection over TCP port 204.79.197.203:443, which is associated with Microsoft, specifically Office365. The malware drops quite a few files:
FRMCACHE.DAT
4086b4f4db.exe
hb4h80jb.exe
bdoe923.tmp.bat
~WRS{C12DF935-B9DB-4568-9CBB-CB1340274738}.tmp
Wacatac.H!ml runs each of these files through DLL injection, by abusing the C:\Windows\system32\svchost.exe -k DcomLaunch -p command. Though, it can run them as plain executable programs, too, and probably does so when there is no antivirus installed.
False Positive
Trojan:Win32/Wacatac.H!ml may be a false positive, and there are user complaints regarding this being the case. This detection comes from Microsoft’s AI engine – this is what the “!ml” part means – and thus requires additional checks from other systems. When these systems, namely heuristics and databases, fail to provide the confirmation, the AI system may proceed with flagging a bening software as malicious.
Considering that the key activity the Wacatac malware group is known for is loading, the false detection may appear to any program or script that has networking activity. It is especially true for some self-made apps that do not have certificates or anything that can prove they are not malicious.
How To Remove Trojan:Win32/Wacatac.H!ml?
Since Trojan:Win32/Wacatac.H!ml primarily targets Windows Defender, you will most likely need a third-party anti-malware solution. I recommend using GridinSoft Anti-Malware, as it allows you to find and neutralize the threat in just a few clicks.
