TrickBot phishing checks screen resolution to evade researchers

silversurfer

Level 85
Thread author
Verified
Helper
Top poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
7,709
The TrickBot malware operators have been using a new method to check the screen resolution of a victim system to evade detection of security software and analysis by researchers.
Last year, the TrickBot gang added a new feature to their malware that terminated the infection chain if a device was using non-standard screen resolutions of 800x600 and 1024x768.
In a new variation spotted by threat researchers, the verification code has been added to the HTML attachment of the malspam delivered to the potential victim.
Recently, TheAnalyst - a threat hunter and member of the Cryptolaemus security research group, found that the HTML attachment from a TrickBot malspam campaign behaved differently on a real machine than on a virtual one.
The attachment downloaded a malicious ZIP archive on a physical system but redirected to the ABC's (American Broadcasting Company) website in a virtual environment.
If the target opens the HTML in their web browser, the malicious script is decoded and the payload is deployed on their device.