Security News > 2022 > January > TrickBot Malware Using New Techniques to Evade Web Injection Attacks

The cybercrime operators behind the notorious TrickBot malware have once again upped the ante by fine-tuning its techniques by adding multiple layers of defense to slip past antimalware products.

TrickBot has proven to be impervious to takedown attempts, what with the operators quickly adjusting their techniques to propagate multi-stage malware through phishing and malspam attacks, not to mention expand their distribution channels by partnering with other affiliates like Shathak to increase scale and drive profits.

More recently, malware campaigns involving Emotet have piggybacked on TrickBot as a "Delivery service," triggering an infection chain that drops the Cobalt Strike post-exploitation tool directly onto compromised systems.

As of December 2021, an estimated 140,000 victims across 149 countries have been infected by TrickBot.

"To facilitate fetching the right injection at the right moment, the resident TrickBot malware uses a downloader or a JavaScript loader to communicate with its inject server," said Michael Gal, a security web researcher at IBM. Other lines of defense adopted the latest version of TrickBot shows the use of encrypted HTTPS communications with the command-and-control server for fetching injections; an anti-debugging mechanism to thwart analysis; and new ways to obfuscate and hide the web inject, including the addition of redundant code and incorporation of hex representation for initializing variables.

Specifically, upon detecting any attempt made to beautify code, TrickBot's anti-debugging feature triggers a memory overload that would crash the page, effectively preventing any examination of the malware.

News URL

https://thehackernews.com/2022/01/trickbot-malware-using-new-techniques.html