![]() What can be done against the TrickGate threat? Once the payload is decrypted, it is injected in a new process by a set of direct calls to the kernel. TrickGate always changes the way the payload is decrypted so that automated unpacking for another version is useless. ![]() It then adds unrelated clean code and debug strings inside the crypted file in order to raise false flags for the analysts and render the analysis harder. It uses the API hash resolving technique to hide the names of the Windows APIs strings as they are turned into a hash number. TrickGate’s functionalitiesĪlthough the code analyzed by the researchers has changed over the last six years, the main functionalities exist on all samples. As it’s unlikely that different threat actors took vacation at the same time, the researchers dug further and found TrickGate. When Check Point suddenly stopped seeing that code being used, they discovered that it had stopped deploying for several different attack campaigns at the exact same time. Security researchers considered parts of the TrickGate code to be shared code that would be widely used by many cybercriminals, as is often the case in the malware development environment where developers often copy existing code from others and modify it. SEE: Mobile device security policy (TechRepublic Premium) How did TrickGate stay undetected for so long? Must-read security coverage All the usual initial compromise vectors can be used, such as phishing emails or abuse of vulnerabilities to compromise a server or computer, and the crypted files might be in archive files (ZIP, 7 ZIP or RAR) or in the PDF or XLSX format. The threats crypted by TrickGate are delivered in different formats depending on the threat actor deploying it. Jump to: TrickGate’s massive distributionĬheck Point monitored 40 to 650 attacks per week over the last two years and found the most popular malware family crypted by TrickGate was FormBook, an information stealer malware. The crypter has been in development since 2016 when it was used to spread the Cerber malware, but it has been used for several major malware campaigns, including Trickbot and Emotet ( Figure A).įigure A Image: Check Point. In new research, Check Point has exposed a crypter dubbed TrickGate developed by cybercriminals and sold as a service.
0 Comments
Leave a Reply. |