TrickBot operators are escalating their activities with added protection to thwart researchers. Several additional layers of protection have been applied to injections used in online banking fraud.

The extra protection 

Researchers from IBM Trusteer examined the most recent injections of TrickBot and anti-analysis techniques to hide its activities. These techniques are grouped into four different categories:
  • First is server-side injection delivery, where the operators inject from their server to facilitate fetching of the required injection from the server using a downloader or a JS loader.
  • Secondly, they have adopted secure communications with the C2 by using the JS downloader. It conducts injections using a secure request via the HTTPS protocol to the C2 server controlled by attackers.
  • The attackers are using anti-debugging as the third layer. TrickBot has added an anti-debugging script to its JS code. The aim is to predict the possible actions taken by researchers, such as the use of code beautify techniques. TrickBot operates using RegEx functions to fail the code beautify, for example.
  • The fourth is the use of encoding/obfuscation tactics, including the use of Base64, Minify/Uglify, number base and representing, string extraction and replacement, dead code injection, and Monkey patching.

The injection technique

TrickBot uses a variety of injections to fool both users and their service providers for banking fraud.
  • The operators use Man-in-the-browser (MiTB) scripts to intercept the communication between users and remote services (e.g an online banking customer).
  • The attackers frequently use banking trojans in their attacks for intercepting the targeted user's traffic during web sessions. 
  • TrickBot injections are fetched locally from configuration files or in real-time from the inject server. 
  • Further, the attack tactics are changed for each bank to counter challenges that occur to attackers.

Conclusion

The recent findings show that TrickBot operators are very much capable and resourceful for taking their malware to a new level. They are regularly making efforts to hide their activities from security radars. Therefore, it is important for organizations and researchers to continuously update their strategy and put in regular efforts to withstand such threats.
Cyware Publisher

Publisher

Cyware