Threat Research

TrickBot Bolsters Layered Defenses to Prevent Injection Research

Securonix

TrickBot’s operators have augmented injections with layered defenses to hinder researchers and improve theft during online banking fraud. IBM Trusteer details how TrickBot fetches per-target web injections, secures its communications, and relies on obfuscation and anti-analysis techniques to outpace security controls. Hashtags: #TrickBot #MiTB #BazarCall #Dyre #IBMTrusteer #PowerShell #CobaltStrike

Keypoints

  • TrickBot uses server-side injections delivered via a downloader or JS loader to fetch the appropriate web injections for each target.
  • Injections are delivered over HTTPS to a C2 server, enabling per-page customization and evading some controls through a permissive referrer policy.
  • The malware hooks certificate verification to disguise malicious communications with its inject server.
  • Injected web payloads collect credentials and rich device fingerprints to better impersonate victims and fraud attempts.
  • TrickBot adds anti-debugging/anti-analysis features, including detecting code beautification and triggering memory overloads to crash research tools.
  • Obfuscation and encoding techniques (Base64, minification, dead code, monkey patching) obscure the injected code and hinder analysis.
  • The campaign is tied to TrickBot’s broader criminal ecosystem, including phishing, malspam, BazarCall, and potential ransomware/lateral movement use.

MITRE Techniques

  • [T1105] Ingress Tool Transfer – TrickBot’s downloader/JS loader communicates with its inject server to fetch injections. ‘the resident TrickBot malware uses a downloader or a JavaScript (JS) loader to communicate with its inject server.’
  • [T1071.001] Web Protocols – The JS downloader uses HTTPS to contact the C2 and fetch per-page injections. ‘The request to the C2 server yields a web injection…’
  • [T1027] Obfuscated/Compressed Files and Information – Code is encoded/obfuscated with Base64, minified/uglified, and includes dead code and monkey patching. ‘The code TrickBot injects is meant to be obfuscated. It is first encoded with Base64…’
  • [T1562.001] Impair Defenses – TrickBot hooks the certificate verification function to bypass TLS warnings during C2 communication. ‘TrickBot hooks the certificate verification function on the infected device.’
  • [T1059.001] PowerShell – Living-off-the-land tactics include PowerShell scripts used by TrickBot. ‘living-off-the-land tactics like PowerShell scripts.’
  • [T1566.001] Phishing – TrickBot’s distribution relies on phishing/malspam and related social engineering (e.g., BazarCall). ‘TrickBot distributes multi-stage malware through phishing emails, malspam, botnets, hijacked email conversations and even a malicious call center known as BazarCall.’

Indicators of Compromise

  • [Domain] context – myca.adprimblox.fun, ksx.global-management-holdings.com, on.imagestorage.xyz, 997.99722.com, akama.pocanomics.com, web7.albertleo.com (and 4 more domains)
  • [IP Address] context – 94.242.58.165, 185.14.30.111, 208.115.238.183, 51.83.210.212, 103.119.112.188, 185.198.59.85 (and 4 more IPs)
  • [SHA1 Hash] context – jquery-1.10.1.js: 5acd3cddcc921bca18c36a1cb4e16624d0355de8, downloader js: ae1b927361e8061026c3eb8ad461b207522633f2

Read more: https://securityintelligence.com/posts/trickbot-bolsters-layered-defenses-prevent-injection/