Trickbot malware is one of the widely known Banking Trojan emerging again with sophisticated techniques to at target the various financial institutions and large bank to steal the banking credentials.
The current version of Trickbot malware is spreading with a powerful code injection technique to evade the detection, anti-analysis technique and disable the security tools that run in the target victims computer.
Trickbot which is capable of launching MitB attacks originated in the middle of 2016 and it targets financial institutions.
Trickbot have an ability to stealing the data from Microsoft Outlook, locking the victim’s computer, information gathering, network information gathering and domain credentials stealing.
It Also distributed with the technique such as sleep for long and short time to avoid detection for the most of the security software.
— Cyberbit (@CYBERBITHQ) August 15, 2018
How does Trickbot Malware Works
An initial distribution of Trickbot malware launching via Microsoft word document which contains embedded Macro code.
Word document macro will not be executed directly instead, the user needs to execute enable content and zoomed in/out of the document to complete the execution process which is one of the new technique to evade the sandbox analysis.
Same as a variety of malicious document execute the PowerShell script and download the Trickbot malware and executed it into the victim’s machine.
Once it dropped the payload from it command & control server then the malware sleeps for 30 seconds to evade sandboxes by calling Sleep(30000) and then decrypts its resource using the RSA algorithm.once the sleep time is completed.
Apart from this TrickBot performing hollow process injection using direct system calls and researchers believe that this malware sharing the code with Flokibot malware.
According to cyberbit, It using CreateProcessW to create a suspended process and the malware uses CreateFileW to obtain a handle to ntdll.dll it copies it a buffer allocated by VirtualAlloc using ReadFile, and then allocates another buffer for mapping it to the memory from its raw Copy.
Trickbot using some function(red) for hollowing from direct system calls and some functions(Blue) hollowing from the addresses saved on the stack earlier.
After running the malware, we can see, as in previous variants, it copied itself and its encrypted modules to C:\Users\%USERNAME%\AppData\Roaming\msnet
Organizations should be aware of this new trend to directly call functions via system calls. This technique bypasses security tool hooks and therefore most security products will not detect this threat, Researchers said.