- Aug 17, 2014
The TrickBot malware has been spotted using text from articles about President Trump's impeachment to bypass the scanning engines of security software.
Before distributing malware, developers commonly use a crypter to encrypt or obfuscate the malware's code to make it FUD (Fully UnDetectable) by antivirus software.
One common technique used by crypters is to take harmless text from books or news articles and inject it into the malware in the hopes that these strings will be whitelisted by security software.
In two new samples of TrickBot discovered by Head of SentinelLabs Vitali Kremez and security researcher MalwareHunterTeam, the malware developers are injecting text from an article about President Trump's impeachment into the malware.
"The anti-virus engines bypasses focus on adding and appending known "goodware" strings to binaries in order to bypass static machine learning engines as similarly it was discovered and used by Cylance engine model," Kremez told BleepingComputer in a conversation. "Known goodware strings might include news headlines like widely populated Trump impeachment news stories mixed with the actual and pseudo-real applications that become appended to the malicious binaries by the malware crypter builder engine."