Hackers Use TrickGate Software to Deploy Emotet, REvil, Other Malware

guest · Jan 30, 2023

By Alessandro Mascellino @a_mascellino - January 30, 2023

A malicious live software service named TrickGate has been used by threat actors to bypass endpoint detection and response (EDR) protection software for over six years.
Click to expand...

The findings come from Check Point Research (CPR), who shared them with Infosecurity earlier today. Described in a new advisory, the research also suggests that several threat actors from groups such as Emotet, REvil, Maze and more exploited the service to deploy malware.

More specifically, CPR estimated that, throughout the last two years, threat actors conducted between 40 and 650 attacks per week using TrickGate. Victims were located mainly in the manufacturing sector but also in education, healthcare, finance and business enterprises.

“The attacks are distributed all over the world, with an increased concentration in Taiwan and Turkey," CPR wrote. "The most popular malware family used in the last two months is Formbook, marking 42% of the total tracked distribution.”
Click to expand...

From a technical standpoint, CPR security researcher Arie Olshtein wrote that the malicious program is encrypted and then packed with a special routine, which is, in turn, designed to bypass the protected system to prevent systems from detecting the payload statically and on run-time.

Further, CPR malware research and protection group manager Ziv Huyan told Infosecurity that the team managed to connect the dots from previous research and point to a single operation that seemed to be offered as a service.

“The fact that many of the biggest threat actors in recent years have been choosing TrickGate as a tool to overcome defensive systems, is remarkable,” Huyan explained.
Click to expand...

Check Point Research: Following the Scent of TrickGate: 6-Year-Old Packer Used to Deploy the Most Wanted Malware

Executive summary

Initially observed in July 2016, TrickGate is a shellcode-based packer offered as a service to hide malware from EDRs and antivirus programs.

Over the last 6 years, TrickGate was used to deploy the top members of the “Most Wanted Malware” list, such as Cerber, Trickbot, Maze, Emotet, REvil, Cobalt Strike, AZORult, Formbook, AgentTesla and more.

TrickGate managed to stay under the radar for years because it is transformative – it undergoes changes periodically. This characteristic caused the research community to identify it by numerous attributes and names.

While the packer’s wrapper changed over time, the main building blocks within TrickGate shellcode are still in use today.

Click to expand...

Rasheed187 · Feb 5, 2023

The question is, how on earth do these malware samples manage to hide from EDR's? Because the whole point of them is to spot malware not by signatures but based on suspicious behavior in case AV's fail to detect them. So if they are not actually trying to disable EDR's and can still hide or bypass them, then these EDR's need to go back to the drawing board.

Log in or Sign up

Hackers Use TrickGate Software to Deploy Emotet, REvil, Other Malware

guest Guest

Rasheed187 Registered Member

Log in or Sign up

Hackers Use TrickGate Software to Deploy Emotet, REvil, Other Malware

guest Guest

Rasheed187 Registered Member

Useful Searches