Over the past six years, a shellcode-based packer known as TrickGate has been functioning successfully without drawing attention while enabling threat actors to spread a variety of malware, including TrickBot, Emotet, AZORult, Cerber, Agent Tesla, FormBook, Maze, and REvil. “TrickGate managed to stay under the radar for years because it is transformative – it undergoes changes periodically,” said Check Point Research’s Arie Olshtein, describing it as a “master of disguises.”
TrickGate has been made available as a service to other threat actors since at least late 2016. It assists in hiding payloads behind a layer of wrapper code in an effort to get past security measures placed on a host. Packers can also act as crypters by using the malware’s encryption as an obfuscation technique. According to a Proofpoint report from December 2020, Packers have a variety of characteristics that enable them to evade detection measures by pretending to be innocuous files, being challenging to reverse engineer, or employing sandbox evasion tactics.
However, TrickGate has been followed since 2019 under a number of names, including new loader, Loncom, and NSIS-based crypter, due to the commercial packer-as-a-service’s updates. According to telemetry data acquired by Check Point, TrickGate-using threat actors have targeted the industrial industry predominantly, with smaller concentrations in education, healthcare, government, and finance.
FormBook, LokiBot, Remcos, Agent Tesla, and Nanocore are the most frequently employed malware families in recent cyberattacks, with notable concentrations recorded in Taiwan, Turkey, Germany, Russia, and China. Sending phishing emails with malicious attachments or click-bait URLs that download a shellcode loader responsible for decrypting and releasing the actual payload into memory is the first step in the infection chain.
According to a study of it by an Israeli cybersecurity company, the shellcode has been modified often, although the core features have been present on all samples since 2016. Olshtein found that the injection module has been the component that has been the most reliable over time and can be seen in all TrickGate shellcodes.