Originally started as a banking trojan, the infamous TrickBot malware has now evolved to perform a variety of malicious behavior. In several capabilities, Trickbot follows the evolution of modern threats via its modular and expandable tactics architecture. Recently it added another advanced capability to evade detection.
TrickBot brings new innovation
Recently, the TrickBot trojan was observed checking the screen resolution of an infected computer as a way for an anti-VM check.
- The TrickBot malware checks if the computer's screen resolution is 800x600 or 1024x768, and if it is, TrickBot will terminate to evade analysis.
- The security researchers usually configure their malware analysis virtual machines with minimal system requirements, by skipping the VM guest software needed for better screen resolutions, mouse control, improved networking, and other features. So a lack of such software almost certainly indicates a sandbox machine controlled by analysts.
- Without the VM guest software, a VM will typically be having resolutions 800x600 or 1024x768. Screen resolutions of ordinary systems are much higher (1366x768 or higher). So the TrickBot developers are using these screen resolution checks.
TrickBot leveraging other innovative tricks
Over the years, TrickBot has shifted focus to enterprise environments by adopting various innovative techniques.
- In June, Trickbot operators leveraged Cobalt Strike to deploy their innovative and deadly Anchor backdoor and Ryuk ransomware against multiple targets.
- In March, TrickBot was one of the first malware to start using COVID-19 lures to target its victims. In that campaign, TrickBot malware launched Cobalt Strike to give the Ryuk Ransomware actors access to the infected computer.
Users should use trusted up-to-date security software to protect against malware infection. Avoid clicking on unverified links and do not open untrusted email attachments. Use content scanning and filtering on mail servers. Data encryption is an effective method against data-stealing malware.