TrickGate: The Malware Master of Disguise
By: Critical Start Cyber Threat Intelligence (CTI) Team
Summary: The TrickGate Evolution
The TrickGate packer is a master of disguise, enabling harmful malware to evade EDR and antivirus detection. Known by various names such as “Emotet’s packer,” “new loader,” “Loncom,” and “NSIS-based crypter,” TrickGate has remained under the cybersecurity radar for the past six years, thanks to continuous efforts by its developers to transform and improve its abilities, adding features such as custom hash functions, Callback Function abuse, and more. Top members of the “Most Wanted Malware” list, such as Cerber, Trickbot, Maze, Emotet, REvil, Cobalt Strike, AZORult, Formbook, and AgentTesla, have packed and deployed their malware using TrickGate. Despite its continued evolution over time, the core building blocks of TrickGate’s shellcode have remained consistent, and it continues to be a popular packer choice today.
Attack Pattern:
In most cases of infection, threat actors gain initial access via phishing emails containing malicious attachments or links, which lead users to downloading a malware dropper. Multiple dropper configurations have been observed, with multiple file types and delivery permutations, but all variants lead to the TrickGate shellcode loader.
The shellcode loader is responsible for decrypting and loading the TrickGate shellcode into memory. This shellcode is the core of the packer, responsible for decrypting and injecting the final malware payload into a new process. The payload then carries out its intended malicious activity, which depends largely on the threat actor who deployed the malware.
Capabilities:
TrickGate is offered as a service to threat actors, enabling them to effectively hide their malware payloads from security solutions. As an obfuscation method, it can encrypt the malware payload to avoid detection. The most common malware families used in recent attacks are FormBook, LokiBot, Agent Tesla, Remcos, and Nanocore, with significant activity reported in Taiwan, Turkey, Germany, Russia, and China.
Primary Industry Targets:
Researchers observed that the actors using TrickGate primarily target the manufacturing sector, followed by education, healthcare, government, and finance.
Conclusion: TrickGate Will Continue Popularity
The TrickGate packer has become popular with many threat actors and APT groups who seek to spread ransomware, remote access trojans (RATs), info-stealers, banking trojans, and crypto miners. Previously, thanks to its widespread use by unrelated threat groups, various iterations of TrickGate were thought to be separate distinct packers. After further study, researchers have now determined that the similarities in both shellcode and behavior demonstrate a strong link between the observed samples. Experts predict that TrickGate will see continued popularity among threat actors seeking to conceal their malicious code and evade security technologies.
Critical Start’s CTI team will continue to monitor new malware developments and work closely with the Threat Detection Engineering (TDE) team and our SOC to implement any relevant detections. For future updates on emerging threats, follow the ZTAP ® Bulletins and the Critical Start Intelligence Hub.
References
Stay Connected on Today’s Cyber Threat Landscape
RELATED RESOURCES
- Webinar
Hook, Line, & Secure: Leveraging MDR to Streamline Phishing Detection & Response
Join Tim Bandos, Field CISO at Critical Start, as he explores the evolving landscape of phishing att... - Webinar
[On-Demand Webinar] Leveraging MDR to Streamline Phishing Detection and Response
The evolving threat of phishing requires organizations to adopt smarter, faster, and more effective ... - News
Malicious Python Package “Fabrice” Steals AWS Credentials via 37,000+ Downloads
Nov 7, 2024 | A malicious Python package called “Fabrice” was typosquatting the popular Fabric S...
RESOURCE CATEGORIES
- Buyer's Guides(1)
- Consumer Education(40)
- Consumer Stories(2)
- Cybersecurity Consulting(7)
- Data Breaches(15)
- Data Privacy(43)
- Incident Response(2)
- Interview(51)
- MDR Services(77)
- MobileSOC(9)
- News(5)
- Press Release(96)
- Research Report(11)
- Security Assessments(4)
- Thought Leadership(19)
- Threat Hunting(3)
- Video(1)
- Vulnerability Disclosure(1)