skip to Main Content

Cybercrime, the new TrickBot dropper analyzed in depth

Yoroi-Cybaze ZLab analyzed in depth the TrickBot dropper of the new cybercrime malware campaign

Cybercrime launched a new malspam campaign aimed at spreading TrickBot malware via weaponized email attachments. Yoroi-Cybaze ZLab cyber security experts analyzed in depth the malicious Word documents, that reveal an interesting dropper composed by several thousand highly obfuscated Lines of Code and abusing the so-called ADS (Alternate Data Stream). TrickBot it is one of the best known Banking Trojan which has been infecting victims since 2016, it is considered to be part of cybercrime arsenal and it is still under development. The malware, first appeared in 2016, during the last years adds functionalities and exploit capabilities such as  the infamous SMB Vulnerability (MS17-010) including EthernalBlue, EthernalRomance or EthernalChampion. Furthermore, recently its modularity brought the malware to a higher level. In fact it can be considered a sort of malicious implant able also providing tools and mechanism for advanced attackers to penetrate within company networks.

The cyber security experts: The dropper contains a highly obfuscated JavaScript code counting about 10 thousand Lines of Code

According to the cyber security experts, the analyzed dropper contains a highly obfuscated JavaScript code counting about 10 thousand Lines of Code. This new infection chain structure represents an increased threat to companies and users, it can achieve low detection rates enabling the unnoticed delivery of TrickBot payload, which can be really dangerous for its victims: just a few days, or even a few hours in some cases, of active infection could be enough to propagate advanced ransomware attacks all across the company IT infrastructure. Furthermore, the analyzed cybercrime attachment reveals its nature through an initial, trivial, trick. The attacker simply used a white font to hide the malicious content from the unaware user (and from the endpoint agents). Just changing the font foreground color unveils some dense JavaScript code, that will be executed in the next stages of the infection chain.

Back To Top