New TrickBot Variant Updates Anti-Analysis Tricks

silversurfer

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,048
Researchers uncovered a new variant of the TrickBot malware that relies on new anti-analysis techniques, an updated method for downloading its payload as well as adopting minor changes to the integration of its components.

“In this post, we detailed how this TrickBot fresh variant works in a victim’s machine, what technologies it uses to perform anti-analysis, as well as how the payload of TrickBot communicates with its C&C server to download the modules,” said Xiaopeng Zhang with Fortinet’s FortiGuard Labs threat team in a Monday analysis.

Researchers discovered the latest variant in a malicious Word document, which they believe is part of a phishing campaign. When the malicious Word document is opened, it asks the victim to “Enable Content,” which then executes a malicious Macro (in VBA code) is executed. The VBA code then extracts a file (“C:\AprilReport\List1.jse”) which eventually runs a huge JavaScript file called “List1.jse.”

Researchers listed a number of anti-analysis techniques utilized by this JavaScript file, including heavy obfuscation to protect the API function calls and constant strings associated with the malware’s attack chain from being identified.

In new behavior for this variant, once executed, the JavaScript code first waits for about one minute. This behavior makes it seem inert, helping it to bypass any auto-analysis tools, researchers said. After waiting, the JavaScript file then executes a command (“Select * from Win32_Process”) to obtain all running processes on the victim’s system. It then puts all of the names of these obtained processes together and checks to see if its length is less than 3,100 – another new anti-analysis functionality, researchers said.

“If [the length is less than 3,100], it will raise an exception and close,” researchers said. “Usually, on a real computer, this length is larger than 3100. In this measure, it is better able to bypass many auto-analysis systems, including Sandboxes and Virtual Machines.”
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top