The operators of TrickBot malware have added an exclusive hardcore feature in the latest variant of the malware. This new feature enables the Trickbot malware to crash the browsers to block the malware analysis.
Since 2016 TrickBot malware has been active and has dominated the threat landscape. Why does this malware manage to do so?
All thanks to the constant development and addition of new features that enabled the operators of TrickBot to perform all their illicit activities.
With the help of TrickBot malware, the threat actors can perform a wide range of malicious activities by deploying modules since the TrickBot malware is modular, so for the threat actors, it works as modules.
Abilities of TrickBot
Among the wide range of abilities here, we have mentioned below some of the key abilities of the TrickBot malware:-
- Man-in-the-browser attacks.
- Steal online banking credentials.
- Steal active directory databases.
- Spread through a network.
- Data exfiltration.
Moreover, the stealthiness and effectiveness of the TrickBot allow the threat actors to deploy other payloads as well. While the analysts have also speculated the links of TrickBot with other players like:-
- Diavol ransomware group.
- Conti ransomware gang.
- Re-emergence of Emotet.
To make analysis slow TrickBot features several layer of obfuscation, base64 encoding and redundant parts for the scripts and features like:-
- String extraction
- Number base
- Dead code injection
- Monkey patching
In total there are three line of defenses and here they are mentioned below:-
- First Line of Defense: Server-Side Injection Delivery
- Second Line of Defense: Secure Communications With the C2
- Third Line of Defense: Anti-Debugging
For communication, using the HTTPS protocol it communicates with the command and control (C2) server that supports the encrypted data exchange.
The operators of TrickBot malware can inject a specially crafted malicious script into victim’s browser by gathering the device’s fingerprint. Once done, they target the bank credntials of their victims.
“TrickBot uses a RegEx to detect the beautified setup and throw itself into a loop that increases the dynamic array size on every iteration. After a few rounds, memory is eventually overloaded, and the browser crashes.”
Through phishing emails, the TrickBot malware arrives and with the help of macros it execute itself to get installed into the system of it victim.
So, in this case, the analysts have recommended users to follow mitigations we have mentioned below:-
- Carefully treat all the incoming emails with caution.
- Always enable multi-factor authentication.
- Regularly monitor all the login logs.
- Use robust security mechanisms and AV tools.
- Always keep your network systems up to date.
- Regularly keep offline bakup.
By following the above-mentioned mitigating recommendations, you can keep your system and network safe from such malicious attacks.