Security News > 2023 > January > Researchers Uncover Packer Used by Several Malware to Evade Detection for 6 Years

A shellcode-based packer dubbed TrickGate has been successfully operating without attracting notice for over six years, while enabling threat actors to deploy a wide range of malware such as TrickBot, Emotet, AZORult, Agent Tesla, FormBook, Cerber, Maze, and REvil over the years.

"TrickGate managed to stay under the radar for years because it is transformative - it undergoes changes periodically," Check Point Research's Arie Olshtein said, calling it a "Master of disguises."

Offered as a service to other threat actors since at least late 2016, TrickGate helps conceal payloads behind a layer of wrapper code in an attempt to get past security solutions installed on a host.

The frequent updates to the commercial packer-as-a-service meant TrickGate has been tracked under various names such as new loader, Loncom, and NSIS-based crypter since 2019.

Telemetry data gathered by Check Point indicates that the threat actors leveraging TrickGate have primarily singled out the manufacturing sector, and to a lesser extent, education, healthcare, government, and finance verticals.

"The injection module has been the most consistent part over the years and has been observed in all TrickGate shellcodes."

News URL

https://thehackernews.com/2023/01/researchers-uncover-packer-that-helped.html