TrickBot Now Crashes Researchers’ Browsers to Block Malware Analysis

The notorious TrickBot malware has received new features that make it more challenging to research, analyze, and detect in the latest variants, including crashing browser tabs when it detects beautified scripts.

TrickBot has dominated the malware threat landscape since 2016, constantly adding optimizations and improvements while facilitating the deployment of damaging malware and ransomware strains.

As TrickBot is modular, the threat actors can deploy modules that perform a wide variety of malicious activities, including man-in-the-browser attacks to steal online banking credentials, the stealing of active directory databases, spreading through a network, data exfiltration, and more.

Also Read: 4 Considerations In The PDPA Singapore Checklist

Apart from being a banking trojan, TrickBot is also used to deploy other payloads thanks to its stealthiness and effectiveness.

Most recently, it has been linked to the Diavol ransomware group, the Conti ransomware gang, and even the re-emergence of Emotet.

Researchers at IBM Trusteer have analyzed recent samples to see what new anti-analysis features have been introduced recently by the authors and present some interesting findings in their report.

Researchers not welcome

First, TrickBot’s developers use a range of obfuscation and base64 encoding layers for the scripts, including minify, string extraction and replacement, number base and representing, dead code injection, and monkey patching.

Obfuscation is expected in the malware world, but TrickBot features many layers and redundant parts to make analysis slow, cumbersome, and often produce inconclusive results.

Second, when injecting malicious scripts into web pages to steal credentials, the injections don’t involve local resources but rely solely on the actors’ servers. As such, analysts cannot retrieve samples from the memory of infected machines.

TrickBot communicates with the command and control (C2) server using the HTTPS protocol, which supports encrypted data exchange.

Also Read: The 3 Main Benefits Of PDPA For Your Business

Also, the injection requests include parameters that flag unknown sources, so analysts cannot retrieve samples from the C2 using an unregistered endpoint.

By gathering the device’s fingerprint, TrickBot operators can inject a custom script into each victim’s browser, targeting a specific bank and persuading its system that it’s interacting with the actual customer.

Finally, TrickBot features an anti-debugging script in the JS code, which helps it anticipate when it is being analyzed and triggers a memory overload that crashes the page.

TrickBot previously attempted to determine if it’s being analyzed by checking the host’s screen resolution, but now it also looks for signs of “code beautifying.”

Code beautifying is the transformation of obfuscated code or unwrapped text into content more easily readable by a human eye and thus easier to identify interesting code within it.

Recent variants of TrickBot use regular expressions to detect when one of its injected scripts has been beautified, typically indicating a security researcher is analyzing it.

If beautified code is found, TrickBot now crashes the browser to prevent further analysis of the injected script.

“TrickBot uses a RegEx to detect the beautified setup and throw itself into a loop that increases the dynamic array size on every iteration. After a few rounds, memory is eventually overloaded, and the browser crashes,” IBM Trusteer researchers explain in a new blog post.

How to stay safe

TrickBot usually arrives on the target system through phishing emails that include a malicious attachment that executes macros to download and install malware.

Apart from treating incoming emails with caution, it is also advisable to enable multi-factor authentication on all your accounts and regularly monitor login logs where possible.

Because many TrickBot infections end with ransomware attacks, following network segmentation practices and a regular offline backup schedule are also vital to containing potential threats.