Image default

Researchers Uncover Packer Used by Several Malware to Evade Detection for 6 Years

Jan 31, 2023Ravie LakshmananThreat Detection / Malware

Malware Evade Detection

A shellcode-based packer dubbed TrickGate has been successfully operating without attracting notice for over six years, while enabling threat actors to deploy a wide range of malware such as TrickBot, Emotet, AZORult, Agent Tesla, FormBook, Cerber, Maze, and REvil over the years.

“TrickGate managed to stay under the radar for years because it is transformative – it undergoes changes periodically,” Check Point Research’s Arie Olshtein said, calling it a “master of disguises.”

Offered as a service to other threat actors since at least late 2016, TrickGate helps conceal payloads behind a layer of wrapper code in an attempt to get past security solutions installed on a host. Packers can also function as crypters by encrypting the malware as an obfuscation mechanism.

“Packers have different features that allow them to circumvent detection mechanisms by appearing as benign files, being difficult to reverse engineer, or incorporating sandbox evasion techniques,” Proofpoint noted in December 2020.

But the frequent updates to the commercial packer-as-a-service meant TrickGate has been tracked under various names such as new loader, Loncom, and NSIS-based crypter since 2019.

Malware Evade Detection

Telemetry data gathered by Check Point indicates that the threat actors leveraging TrickGate have primarily singled out the manufacturing sector, and to a lesser extent, education, healthcare, government, and finance verticals.

The most popular malware families used in the attacks in the past two months include FormBook, LokiBot, Agent Tesla, Remcos, and Nanocore, with significant concentrations reported in Taiwan, Turkey, Germany, Russia, and China.

The infection chain involves sending phishing emails with malicious attachments or booby-trapped links that lead to the download of a shellcode loader that’s responsible for decrypting and launching the actual payload into memory.

The Israeli cybersecurity firm’s analysis of the shellcode shows that it “has been constantly updated, but the main functionalities exist on all the samples since 2016.” Olshtein noted “the injection module has been the most consistent part over the years and has been observed in all TrickGate shellcodes.”

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.


Related posts

3 things you should know about Industrial IoT

James Horns

Security and IT Teams No Longer Need To Pay For SaaS-Shadow IT Discovery

James Horns

New SH1MMER Exploit for Chromebook Unenrolls Managed ChromeOS Devices

James Horns

OpenSSH Releases Patch for New Pre-Auth Double Free Vulnerability

James Horns

ESXiArgs Ransomware Hits Over 500 New Targets in European Countries

James Horns

CISA Sounds Alarm on Cybersecurity Threats Amid Russia’s Invasion Anniversary

James Horns

Leave a Comment