TrickBot Malware Has Updated Itself With Anti-Analysis Features

  • TrickBot is now checking what resolution it’s running on and stops if it’s an unusually low setting.
  • The notorious trojan is checking for resolutions that are used by less than 3% of the market.
  • TrickBot has been one of the most actively developed malware tools out there, with regular obfuscation, anti-analysis, and detection evasion updates.

The latest versions of the TrickBot trojan that have been sampled by security researchers feature new anti-analysis systems based on the checking of the active resolution. More specifically, TrickBot won’t run on screens that use resolutions as low as 800x600 or 1024x768, as these are typically used in sandboxes. White hat researchers are using sandboxes to safely test and analyze the malware samples in a secured environment, so no running there may help fly under the radar. Also, malware development and malware protection is a “cat and mouse” game, so the less the other side knows, the better.

There are many anti-VM techniques used by malware authors in general, including the checking of CPU features, the MAC addresses of the network card, the machine name, the Windows services that run in the background, etc. Some pieces of data are tell-tale signs that the malware is running inside a sandbox. In regards to the resolution, 800x600 and 1024x768 are factors that greatly increase the confidence of the assumption of running inside a virtual machine. Statcounter is giving a market share of only about 2.5% for 1024x768, while 800x600 is negligible. W3Schools is reporting 1.4% for 1024x768, so it’s pretty clear that almost nobody is using it.

Virtual machines run in these resolutions because researchers don’t need to test out graphics-intensive applications, and also because sandboxes run on shared resources. That said, not every researcher has hardware that allows them to set up VMs that pose as powerhouses. Even if they could do this, most VM solutions don’t even support resolutions any higher than 1024x768 anyway. If you are using these resolutions not on a VM but on your actual desktop, then we guess malware infections would be the least of your problems.

TrickBot is a very active software project, which is why researchers like to follow it closely. In January 2020, it demonstrated the capability to steal sensitive data from the Windows Active Directory. In December 2019, it abused legitimate cloud services to distribute phishing emails and avoid detection. Back in May 2019, the malware authors incorporated a URL redirection system that passed through Google URLs and tricked email spam filters as a result. And now, TrickBot will hide its intricate operation when set to run inside sandboxes. All in all, it’s a nasty piece of malware that keeps getting smarter and more evasive.

REVIEW OVERVIEW

Latest

Proton VPN Gets a Design Refresh & Better Integration With Other Proton Services

Proton VPN gets a new logo, color palette, and subtle changes to its UI.There’s a simpler pricing structure, letting you bundle Proton-branded...

How to Watch That Damn Michael Che Season 2 Online From Anywhere

Did you miss a theme or incident, such as police brutality, unemployment, and romance, and use sketches and vignettes to illustrate what...

How to Watch Look At Me: XXXTENTACION Online From Anywhere – Stream the Jahseh Onfroy Documentary

Look At Me: XXXTENTACION is an upcoming documentary detailing the late artist's monumental come-up and tragic death. We have all the information...
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: Chrome, Edge, Firefox, Safari