Malware TrickBot Uses New Techniques to Avoid Web Injection

Malware TrickBot Uses New Techniques to Avoid Web Injection

Short News:-

TrickBot has evolved into a multi-purpose crimeware-as-a-service (CaaS) that's employed by a variety of actors. As of December 2021, an estimated 140,000 victims across 149 countries have been infected by TrickBot. TrickBot Trojan uses encryption to hide its source code and an anti-debugging mechanism to thwart analysis. Microsoft, U.S. government agencies, and private security companies plan to shut down the botnet in 2020.

Detailed News:-

Now that TrickBot has been widely exposed, cybercriminals responsible for it have refined and improved the malware's defenses to make it harder for antimalware programs to detect and stop them in their tracks.

IBM Trusteer says malware injections have been outfitted with additional protection in order to keep researchers from accessing and evading security safeguards. The majority of these additional safeguards have been introduced to injections used in online banking fraud, which has been TrickBot's primary activity since its birth following the collapse of the Dyre Trojan. "

It began as a banking trojan but has developed into a multipurpose criminal software platform that is being used by a wide range of criminal organizations to distribute ransomware and other malicious software. To date, there have been over 100 variants of the TrickBot malware, including one known as the "Trickboot" module, which may be used to alter a hacked device's firmware.

Malware attacks employing Emotet have recently used TrickBot as a "distribution service," creating an infection chain that directly distributes the Cobalt Strike post-exploitation tool onto victim systems. This is a recent development. TrickBot has infected an estimated 140,000 people in 149 countries as of December 2021.

IBM Trusteer has noticed a recent uptick in real-time web injection attacks aimed at stealing banking credentials and cookies from users' browsers. As part of what's known as a man-in-the-browser (MitB) assault, this redirects users to fake banking websites.

When an attacker has control of an attacker-controlled server and can intercept and redirect server responses, they can insert additional code into a webpage before it is sent back to the client. This is known as a server-side injection.

Using a downloader or a JavaScript (JS) loader, the TrickBot malware communicates with its inject server so that the proper injection may be retrieved at the right time, an IBM security web researcher stated.

The latest version of TrickBot shows the use of encrypted HTTPS communications with the command-and-control (C2) server for retrieving injections; an anti-debugging mechanism to thwart analysis; and new ways to obfuscate and hide the web injects, including the addition of redundant code and incorporation of hex representation for initializing variables.

When TrickBot's anti-debugging function detects any attempt to beautify code, it causes a memory overload that would effectively prohibit any investigation of the virus from taking place.

In 2016, the TrickBot Trojan and its operators took over after their predecessors, Dyre, went bankrupt, according to Gal. "TrickBot hasn't had a day off. After a series of threats and a global epidemic, it has been broadening its monetization models while strengthening itself."

When Microsoft and a few US government agencies and private security businesses teamed up in the fall of 2020 to take down the TrickBot botnet, they were able to disrupt its operations around the world.

In spite of this, TrickBot has proven to be resistant to takedown attempts because its operators quickly adapted their techniques to propagate multi-stage malware through phishing and mail spam attacks, as well as expand their distribution channels by partnering with other affiliates like Shathak (aka TA551) to increase scale and drive profits.