Since the return of TrickBot malware researchers are observing additional features and capabilities which makes its detection and analysis tougher than ever.
TrickBot banking trojan has evolved into a full-featured, multi-purpose crimeware-as-a-service or CaaS. A majority of threat actors are employing TrickBot to deliver additional payloads on their targets, such as ransomware.
What’s more, nearly a hundred different variations of the malware have been discovered so far. When a trojan is so much in demand by the cybercrime fraternity, it becomes a priority of its operators to ensure the trojan stays undetected by researchers.
According to IBM Trusteer’s latest report, operators behind TrickBot malware have fine-tuned its functionalities and added multiple defense layers to evade anti-malware software and protect it from inspection and research.
How TrickBot Prevents Reverse Engineering
In the cybersecurity community, reverse engineering is performed to analyze a malware sample and dissect and dismantle its code to understand how it operators or defends itself against anti-malware solutions. There are three main lines of defenses malware used to prevent reverse engineering. The first trick is using server-side injections instead of loading them via infected machines.
The second trick is using HTTPS communications to fetch injections from its C2 server. TrickBot uses flags to determine which page the user is browsing, lock data streams, identify when to ignore requests from ‘unwelcome’ sources, and prevent researchers from assessing communication flows. It also blocks certificate errors so victims cannot identify the C2 server link.
The third line of defense is the most interesting one as malware operators have added an anti-debugging script that triggers a memory overload when a security researcher performs a Code Beautifying technique.
It is used to make larger code swathes to make it readable and easy to analyze. When TrickBot detects this coding, it throws itself into a loop. Malware operators have used redundant junk script and code, Base64 obfuscation, and native function patches to further confuse researchers.
New features means more evasion
IBM Trusteer revealed in their report that they discovered new tweaks in the most recent code injections the malware used to steal information to conduct banking fraud. These updates include encrypted communications with the C&C server to fetch injections, a brand-new server-side injection functionality, and an anti-debugging feature.
Furthermore, it is loaded with new methods to hide the injection code, wrote IBM’s executive security advisor, Limor Kessem. He has described the changes as part of a deliberate effort from TrickBot developers to keep the malware a step ahead of detection tools and trick security researchers successfully. Kessem further noted that malware like TrickBot needs to be updated constantly.
Malware that’s designed to get through security controls, as Trickbot is, has to be constantly updated. Things change the code level; resources are encoded/encrypted and obfuscated. These efforts are there to prevent detection and hinder analysis as much as possible.
Limor Kessem – IBM X-Force
The IBM Trusteer report identified that TrickBot developers are keen on adding protective layers to prevent researchers from observing the malware and letting it get through numerous security controls.
In most cases, these extra protections have been applied to injections used in the process of online banking fraud — TrickBot’s main activity since its inception after the Dyre Trojan’s demise.
IBM