The TrickBot group has added new features to their obfuscation mechanics to counteract security groups’ identification rampage. According to analysts, multiple added layers of obfuscation and protection have been employed by its operators to their injections then utilised in many online banking frauds.
Researchers analysed the most up-to-date anti-analysis features and injections of TrickBot to hide its malicious activities and said that its techniques are classified into four categories.
The last category added by the TrickBot is the use of obfuscation and encoding tactics, including the utilisation of Base64, number base, string extraction, Minify/Uglify, Monkey Patching, and dead code injections.
The TrickBot group utilises various injections to deceive service providers for banking fraud against bank account owners.
The threat actors abuse the Man-in-the-Browser (MitB) scripts to obstruct communication between the users and remote services. Moreover, the researchers said that TrickBot always uses banking trojans in their campaigns for catching the targeted user’s traffic in between web sessions.
TrickBot injections are found locally from configuration files or in the inject server. Furthermore, the hackers constantly change the attack methods for each bank to avoid analysis.
The recent discovery reveals that the TrickBot group is very resourceful and capable of taking their malware to higher forms. They are regularly making ways to obfuscate their attacks from cybersecurity. It is imperative for all organisations to constantly update their counterattack methods to keep up with improving characteristics and strategies of malicious entities.