Over the past six years, a shellcode-based packer known as TrickGate has been functioning successfully without drawing attention while enabling threat actors to spread a variety of malware, including TrickBot, Emotet, AZORult, Agent Tesla, FormBook, Cerber, Maze, and REvil.
TrickGate is a “master of disguises,” according to Arie Olshtein of Check Point Research. This is because it is transformative and undergoes alterations on a regular basis.
Since at least late 2016, TrickGate has been made available as a service to other threat actors. It assists in hiding payloads behind a layer of wrapper code in an effort to get past security measures placed on a host. By using the malware’s encryption as an obfuscation technique, packers can also act as crypters.
In December 2020, Proofpoint stated that “packers have many properties that let them to escape detection measures by looking as innocent files, being challenging to reverse engineer, or employing sandbox evasion techniques.”
However, since 2019, TrickGate has been tracked under other names, including new loader, Loncom, and NSIS-based crypter, due to the commercial packer-as-a-regular service’s modifications.
According to telemetry data acquired by Check Point, TrickGate-using threat actors have targeted the industrial industry predominantly, with smaller concentrations in education, healthcare, government, and finance.
FormBook, LokiBot, Agent Tesla, Remcos, and Nanocore are the most frequently employed malware families in recent attacks, with notable concentrations recorded in Taiwan, Turkey, Germany, Russia, and China.
SEE VIDEO: HOW HACKERS USE CRYPTERS TO BYPASS ANTI -VIRUS
Sending phishing emails with malicious attachments or click-bait URLs that download a shellcode loader responsible for decrypting and launching the actual payload into memory is the first step in the infection chain.
The shellcode has “been regularly updated, although the basic features exist on all the samples since 2016,” according to a study of the code by an Israeli cybersecurity company. The injection module has been the component that has been the most reliable throughout time, according to Olshtein, and it has been seen in all TrickGate shellcodes.