TrickBot now crashes researchers' browsers to block malware analysis


Level 83
Thread author
Top poster
Content Creator
Malware Hunter
Aug 17, 2014
The notorious TrickBot malware has received new features that make it more challenging to research, analyze, and detect in the latest variants, including crashing browser tabs when it detects beautified scripts.

Researchers at IBM Trusteer have analyzed recent samples to see what new anti-analysis features have been introduced recently by the authors and present some interesting findings in their report.
First, TrickBot's developers use a range of obfuscation and base64 encoding layers for the scripts, including minify, string extraction and replacement, number base and representing, dead code injection, and monkey patching. Obfuscation is expected in the malware world, but TrickBot features many layers and redundant parts to make analysis slow, cumbersome, and often produce inconclusive results.

Second, when injecting malicious scripts into web pages to steal credentials, the injections don't involve local resources but rely solely on the actors' servers. As such, analysts cannot retrieve samples from the memory of infected machines. TrickBot communicates with the command and control (C2) server using the HTTPS protocol, which supports encrypted data exchange. Also, the injection requests include parameters that flag unknown sources, so analysts cannot retrieve samples from the C2 using an unregistered endpoint.