TrickGate, a service to spread malware that has been active for 6 years

TrickGate, a service to spread malware that has been active for 6 years.

Check Point Researchthe Threat Intelligence division of Check Point Softwarefound that the software TrickGate has been spreading malware for over six years. The service has made it possible for hackers to bypass Endpoint Detection & Response (EDR) systems and more easily spread various malware for more than six years.

Check Point Research discovered the TrickGate service

The software service discovered by CPR, known as TrickGate, is used by threat groups such as Emotets, REvil and Maze. CPR has recorded hundreds of attacks every week for the past two years. TrickGate changes regularly, which has allowed it to remain hidden for years. The service has among its clients known several threat groups, including Cerber, Trickbot, Maze, Emotet, REvil, Cobalt Strike, AZORult, Formbook, AgentTesla and others.

Some of these malware have made headlines in recent years. Emothet, originally created as a banking trojan, later evolved into a platform for sending spam and installing other malware. Several cyber experts have called it one of the most dangerous malware in the world. Emotet uses a combination of techniques to spread including phishing, vulnerability exploiting and propagation via infected networks. And today we also discover TrickGate.

Trickbot on the other hand is a banking trojan that was originally developed to carry out financial attacks. However, in recent years it has expanded its scope to also include the collection of sensitive information, such as login credentials to corporate systems. Trickbot uses a variety of techniques to spread itself, including the phishing, infecting legitimate websites, and compromising third-party software.

Over the past two years, the CPR has taken over 40 to 650 attacks per week all over the world. Their distribution is therefore on a large scale. According to the data collected, the perpetrators of the attacks using TrickGate mainly target the manufacturing sector, but also the Education, Healthcare and financial sectors. The most used form of malware in the last couple of months is Formbook, which represents 42% of the cases detected.

The software attack process

There are many attack techniques, but shellcode is the heart of the TrickGate packer. Deals with decrypt instructions, malicious code and infecting new processes with malware. The malicious software is encrypted and then packaged with a special procedure to bypass the security system, so that it is not detected both statically and during execution.

The CPR was unable to establish precise affiliation with specific groups of cybercriminals. However, based on the customers they have served, it is believed to be a group of native Russian speakers.

Ziv Huyan, Malware Research and Protection Group Manager at Check Point Softwareand declares: “TrickGate is an expert at camouflage. It has been given different names based on its different features, including ‘Emotet Packer’, ‘New loader’, ‘Loncom’, ‘NSIS-based crypter’ and many more. Analyzing the previous searches at best, we have identified a single large operation that seems to be offered as a real service.

“The fact that many of the top forwards in recent years have chosen TrickGate as a tool to break through defensive systems is telling. Simply put, TrickGate possesses amazing concealment and evasion techniques. We monitored its appearance using different types of code language and different file types. However, the main attack flow remained pretty unaffected. To this day, the same techniques used six years ago are still in use.”

Find more information on the Check Point Research website.