The TrickBot group added layered security to effectively hide itself

TrickBot Threat Group Layered Security Hide Itself Malware

The TrickBot group has added new features to their obfuscation mechanics to counteract security groups’ identification rampage. According to analysts, multiple added layers of obfuscation and protection have been employed by its operators to their injections then utilised in many online banking frauds.

Researchers analysed the most up-to-date anti-analysis features and injections of TrickBot to hide its malicious activities and said that its techniques are classified into four categories.

The first one is server-side injection delivery. The threat actors inject from their server to facilitate the retrieval of the needed injection from the server utilising a downloader or a JavaScript loader.

The TrickBot group adopted secure communications with the command-and-control server by using the JavaScript downloader for the second category. The communication process conducts injections using a particular request through the HTTPS protocol to the command-and-control server controlled by TrickBot.

The third category is that the attackers are utilising an anti-debugging feature. TrickBot has added the anti-debugging script to complement the JavaScript code. The objective of this third category is to predict and do a forecast for the possible mitigating action that researchers will use.

The last category added by the TrickBot is the use of obfuscation and encoding tactics, including the utilisation of Base64, number base, string extraction, Minify/Uglify, Monkey Patching, and dead code injections.


The TrickBot group utilises various injections to deceive service providers for banking fraud against bank account owners.


The threat actors abuse the Man-in-the-Browser (MitB) scripts to obstruct communication between the users and remote services. Moreover, the researchers said that TrickBot always uses banking trojans in their campaigns for catching the targeted user’s traffic in between web sessions.

TrickBot injections are found locally from configuration files or in the inject server. Furthermore, the hackers constantly change the attack methods for each bank to avoid analysis.

The recent discovery reveals that the TrickBot group is very resourceful and capable of taking their malware to higher forms. They are regularly making ways to obfuscate their attacks from cybersecurity. It is imperative for all organisations to constantly update their counterattack methods to keep up with improving characteristics and strategies of malicious entities.

About the author

Leave a Reply