fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

TrickBot Now Crashes Researchers’ Browsers to Block Malware Analysis

TrickBot Now Crashes Researchers’ Browsers to Block Malware Analysis

The notorious TrickBot malware has received new features that make it more challenging to research, analyze, and detect in the latest variants, including crashing browser tabs when it detects beautified scripts.

TrickBot has dominated the malware threat landscape since 2016, constantly adding optimizations and improvements while facilitating the deployment of damaging malware and ransomware strains.

As TrickBot is modular, the threat actors can deploy modules that perform a wide variety of malicious activities, including man-in-the-browser attacks to steal online banking credentials, the stealing of active directory databases, spreading through a network, data exfiltration, and more.

Also Read: 4 Considerations In The PDPA Singapore Checklist

Apart from being a banking trojan, TrickBot is also used to deploy other payloads thanks to its stealthiness and effectiveness.

Most recently, it has been linked to the Diavol ransomware group, the Conti ransomware gang, and even the re-emergence of Emotet.

Researchers at IBM Trusteer have analyzed recent samples to see what new anti-analysis features have been introduced recently by the authors and present some interesting findings in their report.

Researchers not welcome

First, TrickBot’s developers use a range of obfuscation and base64 encoding layers for the scripts, including minify, string extraction and replacement, number base and representing, dead code injection, and monkey patching.

Obfuscation is expected in the malware world, but TrickBot features many layers and redundant parts to make analysis slow, cumbersome, and often produce inconclusive results.

Second, when injecting malicious scripts into web pages to steal credentials, the injections don’t involve local resources but rely solely on the actors’ servers. As such, analysts cannot retrieve samples from the memory of infected machines.

TrickBot communicates with the command and control (C2) server using the HTTPS protocol, which supports encrypted data exchange.

Also Read: The 3 Main Benefits Of PDPA For Your Business

Also, the injection requests include parameters that flag unknown sources, so analysts cannot retrieve samples from the C2 using an unregistered endpoint.

By gathering the device’s fingerprint, TrickBot operators can inject a custom script into each victim’s browser, targeting a specific bank and persuading its system that it’s interacting with the actual customer.

TrickBot fingerprinting the victim
TrickBot fingerprinting the victim
Source: IBM

Finally, TrickBot features an anti-debugging script in the JS code, which helps it anticipate when it is being analyzed and triggers a memory overload that crashes the page.

TrickBot previously attempted to determine if it’s being analyzed by checking the host’s screen resolution, but now it also looks for signs of “code beautifying.”

Code beautifying is the transformation of obfuscated code or unwrapped text into content more easily readable by a human eye and thus easier to identify interesting code within it.

Recent variants of TrickBot use regular expressions to detect when one of its injected scripts has been beautified, typically indicating a security researcher is analyzing it.

If beautified code is found, TrickBot now crashes the browser to prevent further analysis of the injected script.

“TrickBot uses a RegEx to detect the beautified setup and throw itself into a loop that increases the dynamic array size on every iteration. After a few rounds, memory is eventually overloaded, and the browser crashes,” IBM Trusteer researchers explain in a new blog post.

TrickBot causing a crash to prevent analysis
TrickBot causing a crash to prevent analysis
Source: IBM

How to stay safe

TrickBot usually arrives on the target system through phishing emails that include a malicious attachment that executes macros to download and install malware.

Apart from treating incoming emails with caution, it is also advisable to enable multi-factor authentication on all your accounts and regularly monitor login logs where possible.

Because many TrickBot infections end with ransomware attacks, following network segmentation practices and a regular offline backup schedule are also vital to containing potential threats.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us