5 min read

Trickbot Injections Get Harder to Detect & Analyze

The authors of the infamous malware family have added measures for better protecting malicious code injections against inspection and research.

The authors of the Trickbot Trojan have added multiple layers of defenses around the malware to make it harder for defenders to detect and analyze the injections it uses during malicious operations.

The improvements coincide with escalating activity around the malware and appear designed for attacks in which Trickbot is being used to conduct online banking fraud — something the tool was originally designed for before it was repurposed for malware distribution purposes.

Researchers from IBM Trusteer analyzed the most recent code injections that Trustbot uses in the process of stealing information for conducting banking fraud. They discovered new tweaks to it of the type that the operators of the malware have been making since it was first released in 2016.

The updates include a new server-side injection mechanism; encrypted communications with the command-and-control (C2) server for fetching injections; an anti-debugging feature; and new ways to obfuscate and hide the inject code. Limor Kessem, executive security adviser at IBM, describes the changes as part of an ongoing effort that Trickbot's developers have been putting into keeping the malware one step ahead of security researchers and detection tools.

"Malware that’s designed to get through security controls, as Trickbot is, has to be constantly updated," Kessem says. "Things change [at] the code level, resources are encoded/encrypted and obfuscated. These efforts are there to prevent detection and hinder analysis as much as possible." 

Trickbot emerged not long after Russian law enforcement authorities arrested the operators of Dyre, a banking Trojan that was used in attacks that ended up costing millions of dollars in losses for banks such as Chase and Bank of America. The highly modular tool started off as a banking Trojan like Dyre and is designed to steal information that would allow attackers to access and steal money from a victim's bank account. Over the years, Trickbot morphed also into a vehicle for distributing other malware, including ransomware and other banking Trojans, such as Emotet.

The operators of Trickbot have so far been largely impervious to takedown attempts. This includes one attempt in October 2020 in which researchers at Microsoft, ESET, and other security vendors worked with the Financial Services Information Sharing and Analysis Center to disrupt Trickbot's C2 infrastructure. At the time, the malware had infected more than a million systems in 12 countries. Though the takedown effort resulted in some 19 different Trickbot C2 servers at different locations being disconnected, it had only a moderate impact at best on the malware operation. Details from an indictment last year against a Latvian developer of the malware described the core Trickbot group as made up of some 20 individuals, including software developers, malware experts, money mules, and programmers.

Extra Protections
IBM's analysis of the latest version of TrickBot shows that the operators have added extra protections to code injections that are used in real time when a user with an infected machine might attempt to access their bank account online. The injections are designed to modify information going out from the user's browser on-the-fly before it reaches the bank's server.

One of the ways cybercriminals trick victims into divulging sensitive information Is by using customized Web-injection flows that mimic what they would normally expect when interacting online with their bank, Kessem says. "They can go all the way to creating a fake banking site on their servers and take victims there instead," she says. "In other cases, they create a more robust scheme that involves humans on the other end," as was the case with Dyre attackers.

IBM's analysis shows that instead of fetching injection code from configuration files stored locally on a compromised system, Trickbot's operators now have begun injecting the code in real time from their own server. This kind of server-side injection is easier for attackers to manipulate in real time than locally stored injections. They also make it much harder for defenders to understand what malicious activity might be launched against a particular target, IBM said.

A JavaScript downloader that Trickbot uses has also been tweaked so it now uses the HTTPS protocol to securely fetch Web injections from an attacker-controlled inject-server. The injections are tailored for specific bank URLs and are designed to trick users into divulging information the attackers can use to steal money from an online bank account.

As a further measure, Trickbot's authors have added an anti-debugging feature to the malware's JavaScript code. The debugging feature is designed to spot the so-called "code-beautifying" that security researchers do when analyzing suspicious code. When Trickbot's new anti-debugging mechanism detects any attempt at such code beautifying, it immediately triggers a process that results in memory getting overloaded and the browser crashing, IBM said.

The code that Trickbot injects itself is also highly obfuscated. It is encoded with Base64 and uses a variety of tricks such as making code unreadable to the human eye or hiding information about code execution and representing numbers and variables in a deliberately complex way. "Knowing about the techniques helps defenders know what to expect," Kessem says, "and to unpack the challenging parts so they can analyze the malware and adjust controls."