1 minute read
Malware software service unmasked
Tech Reporter
Check Point Research (CPR) has spotted a software service that has been helping threat actors bypass Endpoint Detection and Response (EDR) protection for over six years.
Advertisement
The service called TrickGate has customers including well-known actors such as Cerber, Trickbot, Maze, Emotet, REvil, Cobalt Strike, AZORult, Formbook, AgentTesla and more. TrickGate managed to stay under the radar for years due to its transformative property of undergoing periodic changes. While the packer’s wrapper changed over time, the main building blocks within TrickGate shellcode are still in use.
CPR monitored between 40 to 650 attacks per week in the last two years. It found that the threat actors using TrickGate primarily target the manufacturing sector, but also attack education facilities, healthcare, finance and business enterprises.
The attacks are distributed all over the world, with an increased concentration in Taiwan and Turkey. The most popular malware family used in the last two months is Formbook, marking 42% of the total tracked distribution.
There are many forms of attack flow, the shellcode is the core of the TrickGate pack- er, responsible for decrypting the harmful instructions and code and stealthily injecting it into new processes.
The malicious programme is encrypted and packed with a special routine designed for bypassing the protected system, so many cannot detect the payload statically and on run-time. CPR researchers did not manage to get a clear affiliation.
Malware research and protection group manager at CPR Ziv Huyan says TrickGate is a master of disguises.
“It has been given many names based on its varied attributes, including, ‘Emotet’s packer’, ‘new loader’, ‘Loncom’, ‘NSISbased crypter’ and more. From previous research we point to a single operation that seems to be offered as a service. The fact that many of the biggest threat actors in recent years have been choosing TrickGate as a tool to overcome defensive systems is remarkable,” Huyan says.
Huyan adds that TrickGate has incredible techniques of masquerading and evasion.
“We carefully monitored the appearance of TrickGate, which is written by utilising different types of code language and also using different file types. But the core flow remained relatively stable. The very same techniques that were used six years ago are still in use today,” Huyan says.
