KEEPNET LABS > Blog > Newest Tricks Used in TrickBot Trojan

Newest Tricks Used in TrickBot Trojan

The Titan TrickBot Trojan implemented a fantastic debugging protection feature. Before the researchers can even begin to investigate the malicious code, it detects security analysis and disables their browsers.

Newest Tricks Used in TrickBot Trojan

The Titan TrickBot Trojan has added an amazing debugging protection feature recently. It detects security analysis and disables researchers’ browsers before they even begin to analyze the malicious code. But how does this code work? Let’s see the newest tricks used in TrickBot Trojan!

What is A TrickBot and How Does It Work?

Hackers make it hard for researchers to analyze the TrickBot code by shifting all strings to an array. Hackers also encrypt the code in order to hide information about the malware’s execution. And the usage of hex representation makes deciphering it even more difficult.


TrickBot, which was first discovered in 2016, has developed from a basic banking trojan into a strong threat with a wide range of harmful capabilities, including backdoor access, data theft, and payload delivery. Additionally, the gang has launched new distribution affiliates specialized in ransomware. Following the fall of Emotet last year, TrickBot gained clout. This occurred after the gang stepped in to assist in keeping the virus in circulation, and both parties began collaborating.

Newest Tricks Used in TrickBot Trojan

IBM Security Intelligence experts identified the new anti-debugging function. They documented the advent of a number of TrickBot strategies designed to make the task of a security researcher more difficult. To keep code safe, these innovative methods include server-side injection distribution and encrypted interactions with the command-and-control (C2) server.


IBM’s intelligence team discovered that the TrickBot script detects analysis to make it easier to read the code with the human eye when they apply the “beautify” tool. When TrickBot detects the developer, it starts a memory overload reaction to close the explorer tab. The experts say TrickBot uses a regular expression to detect the incorrect setting. And then it starts a loop that increases the size of the dynamic array with each iteration. After a few rounds, the memory eventually overloads and the browser crashes.

In addition, the experts discovered that TrickBot purposely renders its code unreadable. Because they want to compel analysts to utilize beautification tools to make sense of it. This includes adding unnecessary code and what experts describe as correcting monkeys. This means correcting the built-in functions to change their behavior in such a way that it is impossible to understand what is triggered by static analysis. For example, when looking at confusing injection code, the security expert can start by decoding it from the Base64 format. And then they can make all the ready-made information and functions human-readable.
In the end, the code becomes texts with real meanings. All these efforts are part of the improvement of the code, and TrickBot expects this from the researchers, which makes it a good place to deter them.

Newest Tricks Used in TrickBot Trojan

Join
Our Newsletter

Sign up to learn about the latest threats, hacking methods, and news.