1 min read

TrickBot Malware Devs Implemented Anti-Debugging Feature that Crashes Researchers' Browsers

Silviu STAHIE

January 28, 2022

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
TrickBot Malware Devs Implemented Anti-Debugging Feature that Crashes Researchers' Browsers

TrickBot's developers have introduced a new measure that tries to stop anyone from looking at the code and discovering the malware's underpinnings, essentially crashing the browser used in the investigation, security researchers have discovered.

Malware developers go to great lengths to keep their code hidden from security researchers, and with good reason. Encrypting the code or using polymorphic code are just two methods developers use to try to stop security solutions from detecting them. Fortunately, machine learning and advanced heuristics take over, so the malware is detected eventually anyway.

In their attempts to conceal the malware from security solutions, the initial payloads are hidden, and the code itself is obfuscated. Moreover, the malware uses server-side injections to deploy additional payloads, which they want to keep away from prying eyes.

"To further protect its injections, TrickBot added an anti-debugging script to the JS code," say the Security Intelligence researchers and IBM. "The goal is to anticipate the typical actions researchers will take and ensure their analysis fails. In this case, TrickBot can trigger a memory overload that would crash the page and hinder the analysis."

When security researchers try to make the code more readable, they apply various methods to "beautify" it, triggering the protection.

"TrickBot uses a RegEx to detect the beautified setup and throw itself into a loop that increases the dynamic array size on every iteration," the researchers said. “After a few rounds, memory is eventually overloaded, and the browser crashes.

Of course, this is not the only measure. Malware developers also add dead or redundant code, replace strings, and make the code unreadable by any means necessary.

Right now, TrickBot is one of the prominent banking trojans in operation. Its modular nature and the various ways it spreads online make it very difficult to eradicate. The best protection is to have security solutions installed on every device, along with employee training, multi-factor authentication, email security, offline backups, and improved network architecture that limits lateral movements.

tags


Author



Right now

Top posts

August Spam Debrief: Bitdefender Labs Warns of Fraud Campaigns Exploiting the Russia-Ukraine War

August Spam Debrief: Bitdefender Labs Warns of Fraud Campaigns Exploiting the Russia-Ukraine War

August 31, 2022

4 min read
Snake Keylogger Returns in Malspam Campaign Disguised as Business Portfolio from IT Vendor

Snake Keylogger Returns in Malspam Campaign Disguised as Business Portfolio from IT Vendor

August 30, 2022

2 min read
What is medical identity theft and how to protect against it

What is medical identity theft and how to protect against it

July 27, 2022

2 min read
Curious about Omegle? Here’s how the roulette-style chat platform can threaten your online privacy and security

Curious about Omegle? Here’s how the roulette-style chat platform can threaten your online privacy and security

July 07, 2022

5 min read
Identifying and Dealing with Online Bullying Is Not Impossible - School Presentation Inside

Identifying and Dealing with Online Bullying Is Not Impossible - School Presentation Inside

June 28, 2022

2 min read
Let’s Celebrate World Social Media Day by Improving Your Privacy and Security Online

Let’s Celebrate World Social Media Day by Improving Your Privacy and Security Online

June 28, 2022

3 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Prison for ex-eBay staff who aggressively cyberstalked company's critics with Craigslist sex party ads and funeral wreaths Prison for ex-eBay staff who aggressively cyberstalked company's critics with Craigslist sex party ads and funeral wreaths
Graham CLULEY

September 30, 2022

2 min read
Honolulu Man Sabotaged Former Employer’s Network and Business Using Still-Active Credentials Honolulu Man Sabotaged Former Employer’s Network and Business Using Still-Active Credentials
Silviu STAHIE

September 30, 2022

1 min read
North Korean Gang Uses Compromised Open Source Software to Distribute Malware, Researchers Find North Korean Gang Uses Compromised Open Source Software to Distribute Malware, Researchers Find
Silviu STAHIE

September 30, 2022

1 min read