TrickBot Malware Has Updated Itself With Anti-Analysis Features

• TrickBot is now checking what resolution it’s running on and stops if it’s an unusually low setting.
• The notorious trojan is checking for resolutions that are used by less than 3% of the market.
• TrickBot has been one of the most actively developed malware tools out there, with regular obfuscation, anti-analysis, and detection evasion updates.

The latest versions of the TrickBot trojan that have been sampled by security researchers feature new anti-analysis systems based on the checking of the active resolution. More specifically, TrickBot won’t run on screens that use resolutions as low as 800x600 or 1024x768, as these are typically used in sandboxes. White hat researchers are using sandboxes to safely test and analyze the malware samples in a secured environment, so no running there may help fly under the radar. Also, malware development and malware protection is a “cat and mouse” game, so the less the other side knows, the better.

Today's #Trickbot loaders with a screen resolution #antivm trick, if you have 800x600 or 1024x768 resolution - you are safe! ;] cc @VK_Intel @James_inthe_box @JAMESWT_MHT @abuse_ch pic.twitter.com/mbGE5IwLH0

— mak (@maciekkotowicz) June 30, 2020

There are many anti-VM techniques used by malware authors in general, including the checking of CPU features, the MAC addresses of the network card, the machine name, the Windows services that run in the background, etc. Some pieces of data are tell-tale signs that the malware is running inside a sandbox. In regards to the resolution, 800x600 and 1024x768 are factors that greatly increase the confidence of the assumption of running inside a virtual machine. Statcounter is giving a market share of only about 2.5% for 1024x768, while 800x600 is negligible. W3Schools is reporting 1.4% for 1024x768, so it’s pretty clear that almost nobody is using it.

Virtual machines run in these resolutions because researchers don’t need to test out graphics-intensive applications, and also because sandboxes run on shared resources. That said, not every researcher has hardware that allows them to set up VMs that pose as powerhouses. Even if they could do this, most VM solutions don’t even support resolutions any higher than 1024x768 anyway. If you are using these resolutions not on a VM but on your actual desktop, then we guess malware infections would be the least of your problems.

TrickBot is a very active software project, which is why researchers like to follow it closely. In January 2020, it demonstrated the capability to steal sensitive data from the Windows Active Directory. In December 2019, it abused legitimate cloud services to distribute phishing emails and avoid detection. Back in May 2019, the malware authors incorporated a URL redirection system that passed through Google URLs and tricked email spam filters as a result. And now, TrickBot will hide its intricate operation when set to run inside sandboxes. All in all, it’s a nasty piece of malware that keeps getting smarter and more evasive.