TrickBot Operators Strengthen Obfuscation Game with Layered Security

The extra protection 

• First is server-side injection delivery, where the operators inject from their server to facilitate fetching of the required injection from the server using a downloader or a JS loader.
• Secondly, they have adopted secure communications with the C2 by using the JS downloader. It conducts injections using a secure request via the HTTPS protocol to the C2 server controlled by attackers.
• The attackers are using anti-debugging as the third layer. TrickBot has added an anti-debugging script to its JS code. The aim is to predict the possible actions taken by researchers, such as the use of code beautify techniques. TrickBot operates using RegEx functions to fail the code beautify, for example.
• The fourth is the use of encoding/obfuscation tactics, including the use of Base64, Minify/Uglify, number base and representing, string extraction and replacement, dead code injection, and Monkey patching.

The injection technique

• The operators use Man-in-the-browser (MiTB) scripts to intercept the communication between users and remote services (e.g an online banking customer).
• The attackers frequently use banking trojans in their attacks for intercepting the targeted user's traffic during web sessions. 
• TrickBot injections are fetched locally from configuration files or in real-time from the inject server. 
• Further, the attack tactics are changed for each bank to counter challenges that occur to attackers.

Conclusion