TrickBot operators are attempting to evade detection and analysis by checking the screen resolution of a victim’s system isn’t something new. Just a year ago, the TrickBot gang had added a new feature to its malware which terminated infection chains if non-standard screen resolutions were spotted on the devices.

What’s unique in the new variant?

Recently, a threat hunter and member of the Cryptolaemus security group discovered an HTML attachment containing a fake insurance purchase alert.
  • The spam email downloads a ZIP archive for a physical system and redirects victims to the American Broadcasting Company (ABC) website in a virtual environment.
  • The script distinguishes between them by checking if the web browser uses a software renderer like SwiftShader, VirtualBox, or LLVMpipe, which typically implies the use of a virtual machine.
  • Furthermore, the script also checks the color depth, height, and width of a screen.

According to researchers, it is for the first time that a gang is using a script in an HTML attachment to check for screen resolution.

The infection chain

Opening the email attachment, which occurs on your default web browser, launches the HTML file from the campaign.
  • A message is displayed asking users to wait while the document is being loaded. It then asks for a password to access it.
  • On a regular user’s machine, the infection chain begins right after the download of a ZIP archive carrying the TrickBot executable.
  • Downloading malware this way is called HTML smuggling that bypasses a browser's content filters and sneaks malicious files onto a compromised system by including JavaScript code encoded in an HTML file, which is new.


TrickBot operators are now using screen resolutions of devices to identify if the targeted environment is virtual or not. To stay protected from such threats, organizations require a tool that can examine files based on their behavior and deliver reports on important system changes.

Cyware Publisher