TrickBot Malware Has Updated Itself With Anti-Analysis Features

  • TrickBot is now checking what resolution it’s running on and stops if it’s an unusually low setting.
  • The notorious trojan is checking for resolutions that are used by less than 3% of the market.
  • TrickBot has been one of the most actively developed malware tools out there, with regular obfuscation, anti-analysis, and detection evasion updates.

The latest versions of the TrickBot trojan that have been sampled by security researchers feature new anti-analysis systems based on the checking of the active resolution. More specifically, TrickBot won’t run on screens that use resolutions as low as 800×600 or 1024×768, as these are typically used in sandboxes. White hat researchers are using sandboxes to safely test and analyze the malware samples in a secured environment, so no running there may help fly under the radar. Also, malware development and malware protection is a “cat and mouse” game, so the less the other side knows, the better.

There are many anti-VM techniques used by malware authors in general, including the checking of CPU features, the MAC addresses of the network card, the machine name, the Windows services that run in the background, etc. Some pieces of data are tell-tale signs that the malware is running inside a sandbox. In regards to the resolution, 800×600 and 1024×768 are factors that greatly increase the confidence of the assumption of running inside a virtual machine. Statcounter is giving a market share of only about 2.5% for 1024×768, while 800×600 is negligible. W3Schools is reporting 1.4% for 1024×768, so it’s pretty clear that almost nobody is using it.

Virtual machines run in these resolutions because researchers don’t need to test out graphics-intensive applications, and also because sandboxes run on shared resources. That said, not every researcher has hardware that allows them to set up VMs that pose as powerhouses. Even if they could do this, most VM solutions don’t even support resolutions any higher than 1024×768 anyway. If you are using these resolutions not on a VM but on your actual desktop, then we guess malware infections would be the least of your problems.

TrickBot is a very active software project, which is why researchers like to follow it closely. In January 2020, it demonstrated the capability to steal sensitive data from the Windows Active Directory. In December 2019, it abused legitimate cloud services to distribute phishing emails and avoid detection. Back in May 2019, the malware authors incorporated a URL redirection system that passed through Google URLs and tricked email spam filters as a result. And now, TrickBot will hide its intricate operation when set to run inside sandboxes. All in all, it’s a nasty piece of malware that keeps getting smarter and more evasive.



Researchers Find Multiple Vulnerabilities in WP Fastest Cache Plugin

WP Fastest Cache Plugin has two vulnerabilities recently patched.Authors released version 0.9.5 to fix the vulnerabilities.If still unpatched, hackers can have admin...

Missouri to Prosecute ‘Hacker’ Who Informed State About Data Leak

Missouri Governor threatened to take up legal action against a reporter who found a cybersecurity blunder.The journalist discovered educators' social security numbers...

Man Scams Amazon Textbook Rental Service for $1.5 Million

An US citizen was arrested after borrowing expensive Amazon books and then selling them.The man used gift cards, multiple customer accounts, and...
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: Chrome, Edge, Firefox, Safari