Financial institutions have long been the target of cyberattack, and today researchers at Cyberbit announced they have discovered a new variant of Trickbot, a modular malware and well-known financial Trojan that targets customers of large banks and steals their credentials.
Since first discovered in 2016, new variants have emerged, updated with new tricks and modules. Researchers analyzed Trickbot’s most recent infection vector – a malicious Word document – that only executes its macro after a user has both clicked “enable content” and resized the window by zooming in and out of the document.
Upon a user performing both of these functions, the macros execute a PowerShell that downloads and executes the Trickbot. Researchers noted that the variant leverages a variety of new evasion techniques, including a stealthy code-injection technique that performs process hollowing used for unpacking – as was seen in older samples of the Trickbot. With this variant, the process hollowing is done using direct system calls. In addition, by calling long/short sleeps, the malware sleeps for anywhere from 11 to 30 second and avoids sandboxes.
Trickbot also leverages anti-research/analysis using encryptions and useless function calls and avoids detection by disabling and deleting the Windows defender service. Attackers can leverage these techniques to steal users’ credentials and access their bank accounts.
“Organizations should be aware of this new trend to directly call functions via system calls. This technique bypasses security tool hooks and therefore most security products will not detect this threat,” wrote Hod Gavriel in today’s blog post.