TrickBot Operators Strengthen Obfuscation Game with Layered Security

TrickBot-Operators-Strengthen-Obfuscation-Game-with-Layered-Security.

To thwart researchers, TrickBot operators are ramping up their operations with more security. Injections used in online banking fraud have been given several more layers of protection.

The added security

IBM Trusteer researchers looked at the most recent TrickBot injections and anti-analysis tactics used to disguise its actions. These techniques can be divided into four categories:

The first is server-side injection delivery, in which the operators inject from their server to make it easier for a downloader or JS loader to obtain the required injection from the server.

Second, they use the JS downloader to communicate with the C2 in a secure manner. It does injections by sending a secure HTTPS request to a C2 server controlled by the attackers.

As a third layer, the attackers employ anti-debugging. TrickBot’s JS code now includes an anti-debugging script. The goal is to anticipate potential researcher behaviours, such as the usage of code beautification techniques. To fail the code beautification, for example, TrickBot uses RegEx functions.

The use of encoding/obfuscation techniques, such as Base64, Minify/Uglify, number base and representing, string extraction and replacement, dead code injection, and Monkey patching, is the fourth.

The Injection Method

For banking fraud, TrickBot employs a number of injections to deceive both users and service providers.

Man-in-the-browser (MiTB) scripts are used by the operators to intercept communication between users and external services (e.g an online banking customer).

In order to intercept the targeted user’s traffic during web sessions, attackers typically use banking trojans in their attacks.

Injections for TrickBot are retrieved either locally from configuration files or in real-time from the inject server.

Furthermore, each bank’s assault strategies are altered to counter the problems that attackers face.

Conclusion

The latest findings demonstrate that TrickBot’s operators are quite adept and inventive when it comes to taking their malware to new heights. They make a concerted effort to keep their actions hidden from security radars. As a result, it is critical for companies and researchers to keep their strategies up to date and make consistent efforts to combat such risks.

By IEMA IEMLabs

IEMLabs is an ISO 27001:2013 and ISO 9001:2015 certified company, we are also a proud member of EC Council, NASSCOM, Data Security Council of India (DSCI), Indian Chamber of Commerce (ICC), U.S. Chamber of Commerce, and Confederation of Indian Industry (CII). The company was established in 2016 with a vision in mind to provide Cyber Security to the digital world and make them Hack Proof. The question is why are we suddenly talking about Cyber Security and all this stuff? With the development of technology, more and more companies are shifting their business to Digital World which is resulting in the increase in Cyber Crimes.

Leave a comment

Your email address will not be published.

This site is under maintenance,
some features might not work!!!