TrickBot Malware Devs Implemented Anti-Debugging Feature that Crashes Researchers' Browsers

TrickBot's developers have introduced a new measure that tries to stop anyone from looking at the code and discovering the malware's underpinnings, essentially crashing the browser used in the investigation, security researchers have discovered.

Malware developers go to great lengths to keep their code hidden from security researchers, and with good reason. Encrypting the code or using polymorphic code are just two methods developers use to try to stop security solutions from detecting them. Fortunately, machine learning and advanced heuristics take over, so the malware is detected eventually anyway.

In their attempts to conceal the malware from security solutions, the initial payloads are hidden, and the code itself is obfuscated. Moreover, the malware uses server-side injections to deploy additional payloads, which they want to keep away from prying eyes.

"To further protect its injections, TrickBot added an anti-debugging script to the JS code," say the Security Intelligence researchers and IBM. "The goal is to anticipate the typical actions researchers will take and ensure their analysis fails. In this case, TrickBot can trigger a memory overload that would crash the page and hinder the analysis."

When security researchers try to make the code more readable, they apply various methods to "beautify" it, triggering the protection.

"TrickBot uses a RegEx to detect the beautified setup and throw itself into a loop that increases the dynamic array size on every iteration," the researchers said. “After a few rounds, memory is eventually overloaded, and the browser crashes.

Of course, this is not the only measure. Malware developers also add dead or redundant code, replace strings, and make the code unreadable by any means necessary.

Right now, TrickBot is one of the prominent banking trojans in operation. Its modular nature and the various ways it spreads online make it very difficult to eradicate. The best protection is to have security solutions installed on every device, along with employee training, multi-factor authentication, email security, offline backups, and improved network architecture that limits lateral movements.