Warning! TrickBot Trojan Improves Techniques to Avoid Detection
The TrickBot Trojan never seems to go out of fashion. What started as a sophisticated yet relatively one-dimensional banking Trojan evolved into a multi-purpose Swiss-Army knife of a malware toolkit. New research into TrickBot shows that the malware has been on the up and up, both when it comes to its activity and its ever-growing protection against detection.
Security researchers with IBM's Trusteer picked apart recently intercepted samples of TrickBot and published a report on the increasingly more complex ways the malware hides its activity and handles its code injections. The paper outlines four different methods TrickBot uses to avoid detection.
Table of Contents
Removing Local Injections
While researchers may be able to analyze code injections used by TrickBot that are stored locally on the compromised device, things become a lot more difficult when the malware calls for code and inject directly from its servers. TrickBot uses either a JS loader to grab the appropriate injection from its command and control servers.
Secure Interaction with Command Server
When sending requests to its C2 server, TrickBot uses HTTPS and implements the "unsafe-url" flag in the referrer policy. This flag is likely used to inform the C2 server about the specific page that the user has opened in their browser so that the respective code injection can be returned.
Additionally, TrickBot can hijack the certificate verification functions of the victim device, suppressing all errors that might arise from the malicious communication the bot is triggering.
TrickBot has also implemented a new anti-debugging script. The anti-debugger looks for code belonging to TrickBot that has been altered and "beautified" to make it more readable to humans, IBM's researchers said. The malware uses RegEx commands to check for code that has been cleaned up and converted from Base64, with spaces and new lines added to make it more appealing.
If the anti-debugger finds out the code has been touched up by researchers and "beautified", it launches the malware into a loop that crashes the browser very soon, as memory overloads.
By default, the code used for injection by TrickBot is always encoded using Base64. In addition to this, the malware uses extra steps to encrypt and obfuscate its code.
Dead code is also injected in-between legitimate expressions, similar to what other malware does, to make figuring out the true purpose of the malware's modules harder to determine.
Code is shortened and "uglified" to make it unintelligible to the naked eye, but still retain its malicious capabilities. Strings in functions are moved to arrays and then encrypted, making researchers' jobs even harder. Values assigned to variables are purposefully represented not as integers but as hex, often in absurd expressions. One example provided by researchers is a value of zero being initialized in the code using the string (0x130 * 0x11 + -0x17f5 + 0x2e * 0x15, -0x24a5 + 0x68e * -0x4 + 0x3edd, -0x17f1 + -0x99b * 0x3 + 0x34c2).
TrickBot has been a powerhouse in the world of malicious tools for years and it shows no real signs of slowing down or going away. There have been attempts to take down its malicious infrastructure, but success has been very limited and it looks like the malware is still going strong, years after its initial launch.