The cybercrime operators behind the notorious TrickBot malware have once again upped the ante by fine-tuning its techniques by adding multiple layers of defense to slip past antimalware products.
“As part of that escalation, malware injections have been fitted with added protection to keep researchers out and get through security controls,” IBM Trusteer said in a report. These extra security measures have been used to inflict online banking fraud in most cases. TrickBot has been its main activity since the Dyre trojan ”s death. “
TrickBot, which started out as a banking trojan, has evolved into a multi-purpose crimeware-as-a-service (CaaS) that’s employed by a variety of actors to deliver additional payloads such as ransomware. Over 100 variations of TrickBot have been identified to date, one of which is a “Trickboot” module that can modify the UEFI firmware of a compromised device.
In the fall of 2020, Microsoft, along with some U.S. agencies and private security firms, teamed up against the TrickBot botnet to take down large portions of its infrastructure around the globe in an effort to stop its operation.
But TrickBot has proven to be impervious to takedown attempts, what with the operators quickly adjusting their techniques to propagate multi-stage malware through phishing and malspam attacks, not to mention expand their distribution channels by partnering with other affiliates like Shathak (aka TA551) to increase scale and drive profits.
More recent, malicious campaigns that involve Emotet piggybacked TrickBot as “delivery services,” which triggers an infection chain that directly drops the Cobalt Strike after-exploitation tool onto compromised systems. As of December 2021, an estimated 140,000 victims across 149 countries have been infected by TrickBot.
The new IBM Trusteer updates concern the web injections that were used to steal browser cookies and banking credentials. As part of what is known as a “man-in-thebrowser” (MitB), attack, this involves redirecting victims to duplicate domains in order to navigate to banking portals.
Also put to use is a server-side injection mechanism that intercepts the response from a bank’s server and redirects it to an attacker-controlled server, which, in turn, inserts additional code into the webpage before it is relayed back to the client.
“To facilitate fetching the right injection at the right moment, the resident TrickBot malware uses a downloader or a JavaScript (JS) loader to communicate with its inject server,” said Michael Gal, a security web researcher at IBM.
Other lines of defense adopted the latest version of TrickBot shows the use of encrypted HTTPS communications with the command-and-control (C2) server for fetching injections; an anti-debugging mechanism to thwart analysis; and new ways to obfuscate and hide the web inject, including the addition of redundant code and incorporation of hex representation for initializing variables.
Specifically, TrickBot’s Anti-Debugging function triggers a memory overflow that will crash any page and prevent any investigation of malware.
“The TrickBot Trojan and the gang that operates it have been a cyber crime staple since they took over when a predecessor, Dyre, went bust in 2016,” Gal said. “TrickBot has not rested a day. Between takedown attempts and a global pandemic, it has been diversifying its monetization models and growing stronger. “
