TrickBot Crashes Browser Tabs to Hinder Malware Analysis
New Techniques Employed by the Well-Known Modular Trojan Makes the Life of Security Researchers Harder.
TrickBot is continuously evolving, as the malware has been recently extended with new features. These challenge its research, analysis, and detection as its latest variants are improved to crash browser tabs upon beautified script identification.
TrickBot and How It Works
TrickBot can be described as modular malware, this meaning that hackers have the capacity of deploying several modules. These modules trigger of course different malicious actions and cyberattacks. Here’s what Trickbot can do:
- Facilitate man-in-browser attacks for online banking credentials and active directory theft purposes;
- Propagate further across the network;
- Engage in data exfiltration/data egress;
- Deploy payloads.
According to BleepingComputer, this malware has been recently associated with ransomware families like Diavol, Conti, or Emotet. It’s leveraged to deploy payloads because of its efficiency and stealthiness.
What’s New with Trickbot: Anti-Analysis Features and More
It was reported that anti-analysis features have been added to this notorious malware dubbed TrickBot. A report comes from the IBM Trusteer’s researchers who investigated recent samples and discovered some interesting facts.
The developers of TrickBot seem to use a set of base64 encoding and obfuscation layers to produce the script. Here we can enumerate layers like replacement and extraction of strings, monkey patching, dead code injection, or minify.
The obfuscation layers of TrickBot work specifically on slowing down the analysis or even triggering incomplete investigation results.
Another interesting fact is that the injections of malicious scripts into web pages depend only on the servers of the hackers, this means that local resources are not involved. This technique prevents security researchers from pulling out samples from the compromised machine’s memory.
Trickbot uses the HTTPS protocol to establish the C2 communication, which points out the fact that the exchange of data is encrypted. Another thing to mention would be the particularity of the injections requests that encompass parameters with the role of flagging unknown sources. To put it simply, this means that security analysts are unable to retrieve samples from the C2 by means of an endpoint that is not registered.
Trickbot operators use to collect the fingerprints of the devices and this helps them inject a custom script into every browser they target. This way, a particular bank is targeted, and thus the bank’s system is fooled to believe that the actual customer is initiating the session.
The JS code of Trickbot also contains an anti-debugging script. This has the role to work on analysis anticipation, thus a memory load is triggered that results in the page stopping working.
For instance, when looking at obfuscated injection code, a researcher may start by decoding it from the Base64 format, then make all literals and functions human readable. Literal values are changed to real ones, code is divided into chunks, etc. All these efforts are part of code beautifying, and TrickBot expects that from researchers, making it a good place to hold them back. (…) TrickBot uses a RegEx to detect the beautified setup and throw itself into a loop that increases the dynamic array size on every iteration. After a few rounds, memory is eventually overloaded, and the browser crashes.
How to Stay Safe Using Heimdal™
It’s known that the common attack vectors TrickBot uses are phishing emails encompassing compromised attachments that, if launched, will result in malware infecting your machine. That means that you need an efficient email security solution among others. Choose Heimdal Email Security for unparalleled cloud and on-premises protection built upon the perfect blend between human expertise and Threat intelligence. Your emails go through deep analysis, so malicious attachments, impersonation, or data leak risks have no chance!