Trojan titan TrickBot has added a striking anti-debugging feature that detects security analysis and crashes researcher browsers before its malicious code can be analyzed.
The new anti-debugging feature was discovered by Security Intelligence analysts with IBM, who reported the emergence of a variety of TrickBot tactics aimed at making the job of security researcher more difficult, including server-side injection delivery and secure communications with the command-and-control (C2) server to keep code protected.
IBM’s intelligence team found TrickBot’s script detects analysis whenever a code “beautifying” tool is applied to make the code more easily readable with human eyes. Once TrickBot detects the beautifier, it kicks in a memory-overload reaction to crash the researcher’s tab.
“TrickBot uses a RegEx to detect the beautified setup and throw itself into a loop that increases the dynamic array size on every iteration,” the report said. “After a few rounds, memory is eventually overloaded, and the browser crashes.”
TrickBot’s Messy Code
Further, the researchers found that TrickBot intentionally makes its code “messy,” in order to force analysts to have to use beautifying tools to make sense of it.
That includes adding in redundant code and what the report calls “monkey patching — Patching native functions to change their behavior in a way that makes it impossible to understand what is being activated using static analysis.”
“For instance, when looking at obfuscated injection code, a researcher may start by decoding it from the Base64 format, then make all literals and functions human-readable,” the IBM team explained. “Literal values are changed to real ones, code is divided into chunks, etc. All these efforts are part of code beautifying, and TrickBot expects that from researchers, making it a good place to hold them back.”
Other efforts at obfuscating TrickBot code from researchers include moving all strings to an array and encrypting them to hide details about the malware’s execution; and the use of hex representation to make it hyper-complicated to decipher.
Launched back in 2016, TrickBot has evolved from simple banking trojan into a powerful threat with all sorts of malicious capabilities, including backdoor access, data theft and payload delivery. The group recently also added additional distribution affiliates focused on ransomware.
TrickBot has gained influence following the Emotet takedown last year, after the group stepped in to help to keep the malware in circulation and both groups began collaborating.
Check out our free upcoming live and on-demand online town halls – unique, dynamic discussions with cybersecurity experts and the Threatpost community.