Researchers Uncover Packer Used by Several Malware to Evade Detection for 6 Years

silversurfer

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,057
A shellcode-based packer dubbed TrickGate has been successfully operating without attracting notice for over six years, while enabling threat actors to deploy a wide range of malware such as TrickBot, Emotet, AZORult, Agent Tesla, FormBook, Cerber, Maze, and REvil over the years.

"TrickGate managed to stay under the radar for years because it is transformative – it undergoes changes periodically," Check Point Research's Arie Olshtein said, calling it a "master of disguises."
The infection chain involves sending phishing emails with malicious attachments or booby-trapped links that lead to the download of a shellcode loader that's responsible for decrypting and launching the actual payload into memory.

The Israeli cybersecurity firm's analysis of the shellcode shows that it "has been constantly updated, but the main functionalities exist on all the samples since 2016," Olshtein noted. "The injection module has been the most consistent part over the years and has been observed in all TrickGate shellcodes."
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top