TrickGate, one of the most feared packer-as-a-service, has returned to the market, researchers at CheckPoint found. Cybercriminals use TrickGate to wrap malware, making it harder for antivirus software to detect it. Among the payload of lethal malware, they found a surprising candidate: TrickBot!
The notorious Windows malware, which ruled the threat landscape since 2016, was thought to be obsolete and its operations were perceived to be shut down. Ram Narayanan, Country Manager at Check Point Software Technologies, Middle East, confirmed that there are still takers for it.
TrickGate malware packer constantly changes its outer wrapping, allowing it to evade security products. TrickGate has also been used to distribute many malicious tools, including ransomware, information stealers, banking malware, and crypto miners.
APT organizations and threat actors have been known to utilize TrickGate. Its corresponding tool has also targeted various industries, including the manufacturing sector, education facilities, healthcare, finance, and business enterprises.
Despite thorough examination of the packer, TrickGate remains a master of disguise and has been referred to by various names due to its distinct traits. It is known as “TrickGate,” “Emotet’s packer,” “new loader,” “Loncom,” “NSIS-based crypter,” and others.
The intertwining tale of TrickGate and TrickBot, two power players in cybercrime
Reports suggest that APT groups and threat actors widely employ TrickGate to conceal their malicious code and evade security technologies. Many infamous malware families include Cerber, Trickbot, Maze, Emotet, REvil, CoinMiner, Cobalt Strike, DarkVNC, BuerLoader, HawkEye, NetWire, AZORult, Formbook, Remcos, Lokibot, AgentTesla, among others, have utilized TrickGate as their wrapping solution.
TrickGate has reportedly funded many threat groups, but one that resembles the packer most is the notorious TrickBot. According to experts, the renowned TrickBot malware is a banking Trojan that was first discovered in 2016 and has since grown into a modular, multi-phase malware capable of a wide range of criminal operations, including credential, data, and personal information theft. Increasing account privileges to get greater access to the infiltrated network.
TrickBot malware is cybercriminals employing packers to execute their malevolent deeds, making it harder for antivirus software to spot their malicious code. The packer, dubbed “Crypter” and “FUD” in hacker circles, obstructs the ability of antivirus programs to detect the code.
Why does the seemingly obsolete TrickBot malware still exist?
TrickBot is popular due to its ability to evade detection, its frequent updates to adapt to security measures, and its widespread distribution through phishing campaigns and exploit kits. While much malware has become obsolete over the last decade, many are still in the market and are still in operation.
TrickBot is still operational because it constantly updates its tactics to evade detection and security measures, and its distribution is perpetuated through phishing and exploit kits. It is also known for targeting many systems, making it a profitable venture for its operators.
TrickBot has caused widespread damage and adapted to global events, like COVID-19, to trick users into opening malicious attachments. During its peak, it sent 240 million spam messages daily and was spread through links to malicious websites.
In 2021, TrickBot topped the global malware chart with an impact of 11% on corporate networks and was linked to other malware families. In 2022, TrickBot declined, but the malware Emotet became the dominant threat.
“During its lifecycle, Trickbot has been continuously linked to different malware families to spread them. Ryuk ransomware or BazarBackdoor, for example, are just some of the malware families delivered by Trickbot. The situation did not change after the botnet takedown in October 2020”, said Ram Narayanan, Country Manager at Check Point Software Technologies, Middle East, in a conversation with The Cyber Express.
“TrickBot is a Windows platform Banking Trojan primarily delivered through spam campaigns or malware like Emotet. It collects information about the infected system and can execute arbitrary modules from its extensive array of options, including remote control and network spreading”, adds Narayanan.
The Trickbot gang behind the malware uses the modules to steal banking credentials, reconnaissance, and deliver targeted ransomware attacks. Despite its current status, the sophisticated development of TrickBot’s code will likely be utilized in future cyber threats.