TrickGate is a commercial packer-as-a-service that ruled the threat landscape in 2016. It was thought to be obsolete and its operations were perceived to be shut down, however, it is still active, with quite a few takers.
The latest discovery
Checkpoint monitored between 40 to 650 attacks per week in the last two years that involved TrickGate. The attacks are spread worldwide, with an increased focus on Taiwan and Turkey.
Threat actors utilized TrickGate to primarily target the manufacturing sector (41.94%), followed by education (12.65%), healthcare (8.88%), government (7.14%), and finance (5.61%) sectors.
Apart from the above, since 2016, TrickGate has been used to deploy the top members of the Most Wanted Malware list, including AZORult, BuerLoader, Cerber, Cobalt Strike, CoinMiner, DarkVNC, Emotet, HawkEye, Lokibot, Maze, NetWire, REvil, and Trickbot.
Typically, threat actors gain initial access using phishing emails or malicious links with malicious attachments.
The first stage files contain an archived executable or other file types and delivery permutations that lead to the same shellcode.
The second stage is the shellcode loader responsible for decrypting and loading the shellcode into memory.
The next stage is a shellcode that is the core of the packer. It is responsible for decrypting the payload and stealthily injecting it into a new process.
The payload is the final stage and the actual malicious code. It is responsible for carrying out the intended malicious activity, depending on the actor who uses the packer.
Significance of TrickGate
TrickGate is a master of disguise and it has been referred to by various names such as Emotet’s packer, new loader, Loncom, and NSIS-based crypter.
It has managed to stay under the cybersecurity radar (including EDR and anti-viruses) with its transformative abilities for the past six years.
It is continuously improving itself by using custom hash functions, abusing the Callback Functions mechanism, and other different ways.
While its outer appearance has changed over time, the main building blocks within TrickGate shellcode are the same and still in use.
Many threat actors and APT groups are regularly using TrickGate to spread ransomware, RATs, info-stealers, banking trojans, and miners. Although the threat groups using it aren’t related, shellcode similarities and behavior analysis are too coincidental and indeed very suspicious. Experts estimate more groups will likely conceal their malicious code and evade security technologies by utilizing TrickGate as their wrapping solution, especially on a massive scale.