The authors of the Trickbot Trojan have added multiple layers of defenses around the malware to make it harder for defenders to detect and analyze the injections it uses during malicious operations.
The improvements coincide with escalating activity around the malware and appear designed for attacks in which Trickbot is being used to conduct online banking fraud — something the tool was originally designed for before it was repurposed for malware distribution purposes.
Researchers from IBM Trusteer analyzed the most recent code injections that Trustbot uses in the process of stealing information for conducting banking fraud. They discovered new tweaks to it of the type that the operators of the malware have been making since it was first released in 2016.
The updates include a new server-side injection mechanism; encrypted communications with the command-and-control (C2) server for fetching injections; an anti-debugging feature; and new ways to obfuscate and hide the inject code. Limor Kessem, executive security adviser at IBM, describes the changes as part of an ongoing effort that Trickbot's developers have been putting into keeping the malware one step ahead of security researchers and detection tools.
"Malware that’s designed to get through security controls, as Trickbot is, has to be constantly updated," Kessem says. "Things change [at] the code level, resources are encoded/encrypted and obfuscated. These efforts are there to prevent detection and hinder analysis as much as possible."
Trickbot emerged not long after Russian law enforcement authorities arrested the operators of Dyre, a banking Trojan that was used in attacks that ended up costing millions of dollars in losses for banks such as Chase and Bank of America. The highly modular tool started off as a banking ..
Support the originator by clicking the read the rest link below.
