The cybercriminals behind the infamous TrickBot malware have upped the ante even again by fine-tuning their strategies and adding numerous levels of protection to evade antimalware programs.
“As part of that escalation, malware injections have been fitted with added protection to keep researchers out and get through security controls,” IBM Trusteer stated in a report. “In most cases, these extra protections have been applied to injections used in the process of online banking fraud — TrickBot’s main activity since its inception after the Dyre Trojan‘s demise.”
TrickBot began as a banking trojan and has now developed into a multi-purpose crimeware-as-a-service (CaaS) used by many actors to distribute additional payloads like ransomware. So far, more than 100 TrickBot variants have been detected, one of which is a “Trickboot” module that may change a compromised device’s UEFI firmware.
In 2020, Microsoft worked up with several US government agencies and commercial security firms to take down most of the TrickBot botnet’s infrastructure throughout the world to halt its operations. TrickBot, on the other hand, has proven impervious to takedown attempts, with the operators quickly adapting their techniques to spread multi-stage malware via phishing and malspam attacks, as well as expanding their distribution channels by partnering with other affiliates such as Shathak (aka TA551) to upsurge scale and drive profits.
Emotet malware campaigns have recently used TrickBot as a “distribution service,” creating an infection chain that directly distributes the Cobalt Strike post-exploitation tool onto affected systems. As of December 2021, TrickBot had infected an estimated 140,000 people in 149 countries.
The latest updates that IBM Trusteer has seen are related to real-time web injections used to steal banking credentials and browser cookies. As part of a man-in-the-browser (MitB) attack, victims are directed to replica domains when attempting to access a banking interface. A server-side injection method is also used to intercept a bank’s server response and redirect it to an attacker-controlled server. It then inserts additional code into the webpage before relaying it back to the client.
For fetching injections, other layers of defense used the current version of TrickBot, which displays the usage of encrypted HTTPS interactions with the command-and-control (C2) server; an anti-debugging method to thwart analysis; and new ways to obfuscate and hide the web inject, such as the addition of redundant code and the use of hex representation for variable initialization. TrickBot’s anti-debugging function, when it detects any effort to beautify code, causes a memory overflow that crashes the website, essentially blocking any study of the malware.