To thwart researchers, TrickBot operators are ramping up their operations with more security. Injections used in online banking fraud have been given several more layers of protection.
The added security
IBM Trusteer researchers looked at the most recent TrickBot injections and anti-analysis tactics used to disguise its actions. These techniques can be divided into four categories:
The first is server-side injection delivery, in which the operators inject from their server to make it easier for a downloader or JS loader to obtain the required injection from the server.
Second, they use the JS downloader to communicate with the C2 in a secure manner. It does injections by sending a secure HTTPS request to a C2 server controlled by the attackers.
As a third layer, the attackers employ anti-debugging. TrickBot’s JS code now includes an anti-debugging script. The goal is to anticipate potential researcher behaviours, such as the usage of code beautification techniques. To fail the code beautification, for example, TrickBot uses RegEx functions.
The use of encoding/obfuscation techniques, such as Base64, Minify/Uglify, number base and representing, string extraction and replacement, dead code injection, and Monkey patching, is the fourth.
The Injection Method
For banking fraud, TrickBot employs a number of injections to deceive both users and service providers.
Man-in-the-browser (MiTB) scripts are used by the operators to intercept communication between users and external services (e.g an online banking customer).
In order to intercept the targeted user’s traffic during web sessions, attackers typically use banking trojans in their attacks.
Injections for TrickBot are retrieved either locally from configuration files or in real-time from the inject server.
Furthermore, each bank’s assault strategies are altered to counter the problems that attackers face.
The latest findings demonstrate that TrickBot’s operators are quite adept and inventive when it comes to taking their malware to new heights. They make a concerted effort to keep their actions hidden from security radars. As a result, it is critical for companies and researchers to keep their strategies up to date and make consistent efforts to combat such risks.