TrickBot Malware Has Updated Itself With Anti-Analysis Features

  • TrickBot is now checking what resolution it’s running on and stops if it’s an unusually low setting.
  • The notorious trojan is checking for resolutions that are used by less than 3% of the market.
  • TrickBot has been one of the most actively developed malware tools out there, with regular obfuscation, anti-analysis, and detection evasion updates.

The latest versions of the TrickBot trojan that have been sampled by security researchers feature new anti-analysis systems based on the checking of the active resolution. More specifically, TrickBot won’t run on screens that use resolutions as low as 800×600 or 1024×768, as these are typically used in sandboxes. White hat researchers are using sandboxes to safely test and analyze the malware samples in a secured environment, so no running there may help fly under the radar. Also, malware development and malware protection is a “cat and mouse” game, so the less the other side knows, the better.

There are many anti-VM techniques used by malware authors in general, including the checking of CPU features, the MAC addresses of the network card, the machine name, the Windows services that run in the background, etc. Some pieces of data are tell-tale signs that the malware is running inside a sandbox. In regards to the resolution, 800×600 and 1024×768 are factors that greatly increase the confidence of the assumption of running inside a virtual machine. Statcounter is giving a market share of only about 2.5% for 1024×768, while 800×600 is negligible. W3Schools is reporting 1.4% for 1024×768, so it’s pretty clear that almost nobody is using it.

Virtual machines run in these resolutions because researchers don’t need to test out graphics-intensive applications, and also because sandboxes run on shared resources. That said, not every researcher has hardware that allows them to set up VMs that pose as powerhouses. Even if they could do this, most VM solutions don’t even support resolutions any higher than 1024×768 anyway. If you are using these resolutions not on a VM but on your actual desktop, then we guess malware infections would be the least of your problems.

TrickBot is a very active software project, which is why researchers like to follow it closely. In January 2020, it demonstrated the capability to steal sensitive data from the Windows Active Directory. In December 2019, it abused legitimate cloud services to distribute phishing emails and avoid detection. Back in May 2019, the malware authors incorporated a URL redirection system that passed through Google URLs and tricked email spam filters as a result. And now, TrickBot will hide its intricate operation when set to run inside sandboxes. All in all, it’s a nasty piece of malware that keeps getting smarter and more evasive.


Recent Articles

How to Watch ‘Christmas in Rockefeller Center’ Online: Live Stream Christmas Tree Lighting

The annual lighting of the tree in New York City's Rockefeller Center has certainly become a tradition across the United States. This...

Egregor’s Latest Press Release Is a Victim Intimidation Machine

Egregor warns victims that if they don’t make a contract with them, they’ll have to manage a constant cybersecurity and regulation threat.The...

Italians Fined Apple €10 Million for Misleading iPhone Waterproof Claims

AGCM has bashed Apple for making false claims about the underwater abilities of iPhones.The organization maintains that the tech giant based its...