Trickbot injections are getting harder to detect and analyze


The authors of the Trickbot Trojan have added several layers of defense around the malware to make it harder for defenders to detect and analyze the injections it uses during malicious operations.

The improvements coincide with escalating activity around the malware and appear designed for attacks in which Trickbot is used to conduct online banking fraud – something the tool was originally designed for before it was released. be reused for the purpose of distributing malware.

IBM Trusteer researchers have analyzed the most recent code injections used by Trustbot in the process of stealing information to conduct bank fraud. In it, they discovered new modifications of the type that the operators of the malware have made since it was first published in 2016.

The updates include a new server-side injection mechanism; encrypted communications with the command and control server (C2) to retrieve injections; an anti-debugging function; and new ways to obfuscate and hide injection code. Limor Kessem, executive security adviser at IBM, describes the changes as part of an ongoing effort the developers of Trickbot have made to keep the malware one step ahead of security researchers and detection tools.

“Malware designed to pass security checks, like Trickbot, needs to be constantly updated,” says Kessem. “Things change [at] At the code level, resources are encoded/encrypted and obfuscated. These efforts are there to prevent detection and hinder analysis as much as possible.”

Trickbot emerged shortly after Russian law enforcement arrested operators of Dyre, a banking trojan used in attacks that cost banks such as Chase and Bank of America millions of dollars in losses. . The highly modular tool started out as a banking trojan like Dyre and is designed to steal information that would allow attackers to access and steal money from a victim’s bank account. Over the years, Trickbot has also turned into a vehicle for distributing other malware, including ransomware and other banking trojans, such as Emotet.

Trickbot operators have so far been largely unresponsive to takedown attempts. This includes an attempt in October 2020 in which researchers from Microsoft, ESET, and other security vendors worked with the Financial Services Information Sharing and Analysis Center to disrupt Trickbot’s C2 infrastructure. At the time, the malware had infected more than a million systems in 12 countries. Although the removal effort caused some 19 different Trickbot C2 servers to go offline in different locations, it only had a moderate impact on the functioning of the malware at best. Details of an indictment last year against a Latvian developer of the malware described the Trickbot core group as made up of around 20 individuals, including software developers, malware experts, mules financiers and programmers.

Additional protections
IBM’s analysis of the latest version of TrickBot shows that operators have added additional protections to code injections that are used in real time when a user with an infected machine might attempt to access their online banking account . The injections are designed to modify information coming out of the user’s browser on the fly before it reaches the bank’s server.

One of the ways cybercriminals trick victims into divulging sensitive information is by using personalized web injection flows that mimic what they would normally expect when interacting with their bank online, Kessem says. “They can go so far as to create a fake banking site on their servers and take victims there instead,” she says. “In other cases, they create a more robust pattern that involves humans on the other end,” as was the case with the Dyre attackers.

IBM’s analysis shows that instead of fetching injection code from configuration files stored locally on a compromised system, Trickbot operators have now started injecting code in real time from their own. server. This type of server-side injection is easier for attackers to manipulate in real time than locally stored injections. They also make it much harder for defenders to understand what malicious activity might be launched against a particular target, IBM said.

A JavaScript downloader used by Trickbot has also been changed so that it now uses the HTTPS protocol to securely fetch web injections from an attacker-controlled injection server. Injections are tailored to specific bank URLs and are designed to trick users into disclosing information that attackers can use to steal money from an online bank account.

As an additional measure, the authors of Trickbot added anti-debugging functionality to the malware’s JavaScript code. The debug feature is designed to spot so-called “code beautification” that security researchers perform when analyzing suspicious code. When Trickbot’s new anti-debugging mechanism detects any attempt to beautify code, it immediately triggers a process that leads to memory overload and browser crashes, IBM said.

The code that Trickbot injects itself is also very obfuscated. It is encoded with Base64 and uses a variety of tricks such as making code unreadable to the human eye or hiding code execution information and representing numbers and variables in a deliberately complex way. “Knowing the techniques helps defenders know what to expect,” says Kessem, “and unpack the tough parts so they can analyze malware and adjust controls.”


Comments are closed.