March 28, 2023

TrickBot malware has received new features that make it more challenging to research, analyze, and detect in the latest variants, including crashing browser tabs when it detects beautified scripts.

With trickBot, threat actors can use it in wide variety of malicious activities. Recently researchers have analyzed samples to see what new anti-analysis features have been introduced recently by the authors and present some interesting findings in their report.

Advertisements

Firstly, TrickBot use a range of obfuscation and base64 encoding layers for the scripts, including minify, string extraction and replacement, number base and representing, dead code injection, and monkey patching.

Secondly, while injecting malicious scripts into web pages to steal credentials, the injections don’t involve local resources but rely solely on the actors’ servers. Analysts cannot retrieve samples from the memory of infected machines.

The injection requests include parameters that flag unknown sources, so analysts cannot retrieve samples from the C2 using an unregistered endpoint which is encrypted for data exchange. By injecting custom scripts it invades user browser targeting specific banks.

Finally, TrickBot features an anti-debugging script in the JS code, which helps it anticipate when it is being analyzed and triggers a memory overload that crashes the page.

Advertisements

In previous instances it used screen resolution to determine if it’s being analyzed, now it also looks for signs of code beautifying, a transformation of obfuscated code or unwrapped text into content more easily readable by a human eye and thus easier to identify interesting code within it.

Once the beautifiel code is found, TrickBot now crashes the browser to prevent further analysis of the injected script.

TrickBot uses a RegEx to detect the beautified setup and throw itself into a loop that increases the dynamic array size on every iteration. After a few rounds, memory is eventually overloaded, leading to browser crash.

Indicators of Compromise

Domains/ resources

hxxps:\/\/myca.adprimblox.fun

hxxps:\/\/ksx.global-management-holdings.com

hxxps:\/\/on.imagestorage.xyz

hxxps:\/\/997.99722.com

hxxps:\/\/akama.pocanomics.com

hxxps:\/\/web7.albertleo.com

IP addresses

  • 94.242.58.165
  • 185.14.30.111
  • 208.115.238.183
  • 51.83.210.212
  • 103.119.112.188
  • 185.198.59.85

SHA1 hashes

  • jquery-1.10.1.js: 5acd3cddcc921bca18c36a1cb4e16624d0355de8
  • downloader js: ae1b927361e8061026c3eb8ad461b207522633f2

Leave a Reply

%d bloggers like this: