TrickGate: The Malware Master of Disguise 

By: Critical Start Cyber Threat Intelligence (CTI) Team 

Summary: The TrickGate Evolution 

The TrickGate packer is a master of disguise, enabling harmful malware to evade EDR and antivirus detection. Known by various names such as “Emotet’s packer,” “new loader,” “Loncom,” and “NSIS-based crypter,” TrickGate has remained under the cybersecurity radar for the past six years, thanks to continuous efforts by its developers to transform and improve its abilities, adding features such as custom hash functions, Callback Function abuse, and more. Top members of the “Most Wanted Malware” list, such as Cerber, Trickbot, Maze, Emotet, REvil, Cobalt Strike, AZORult, Formbook, and AgentTesla, have packed and deployed their malware using TrickGate. Despite its continued evolution over time, the core building blocks of TrickGate’s shellcode have remained consistent, and it continues to be a popular packer choice today. 

Attack Pattern: 

In most cases of infection, threat actors gain initial access via phishing emails containing malicious attachments or links, which lead users to downloading a malware dropper. Multiple dropper configurations have been observed, with multiple file types and delivery permutations, but all variants lead to the TrickGate shellcode loader.  

The shellcode loader is responsible for decrypting and loading the TrickGate shellcode into memory. This shellcode is the core of the packer, responsible for decrypting and injecting the final malware payload into a new process. The payload then carries out its intended malicious activity, which depends largely on the threat actor who deployed the malware. 

Capabilities:  

TrickGate is offered as a service to threat actors, enabling them to effectively hide their malware payloads from security solutions. As an obfuscation method, it can encrypt the malware payload to avoid detection. The most common malware families used in recent attacks are FormBook, LokiBot, Agent Tesla, Remcos, and Nanocore, with significant activity reported in Taiwan, Turkey, Germany, Russia, and China. 

Primary Industry Targets: 

Researchers observed that the actors using TrickGate primarily target the manufacturing sector, followed by education, healthcare, government, and finance.  

Conclusion: TrickGate Will Continue Popularity 

The TrickGate packer has become popular with many threat actors and APT groups who seek to spread ransomware, remote access trojans (RATs), info-stealers, banking trojans, and crypto miners. Previously, thanks to its widespread use by unrelated threat groups, various iterations of TrickGate were thought to be separate distinct packers. After further study, researchers have now determined that the similarities in both shellcode and behavior demonstrate a strong link between the observed samples. Experts predict that TrickGate will see continued popularity among threat actors seeking to conceal their malicious code and evade security technologies. 
 

Critical Start’s CTI team will continue to monitor new malware developments and work closely with the Threat Detection Engineering (TDE) team and our SOC to implement any relevant detections. For future updates on emerging threats, follow the ZTAP ® Bulletins and the Critical Start Intelligence Hub

References 

  1. https://research.checkpoint.com/2023/following-the-scent-of-trickgate-6-year-old-packer-used-to-deploy-the-most-wanted-malware/ 
  1. https://securityaffairs.com/141650/malware/trickgate-packer.html 
  1. https://cyware.com/news/trickgate-is-alive-and-kicking-as-a-preferred-payload-carrier-e6f38269/?web_view=true 

You may also be interested in…

Stay Connected on Today’s Cyber Threat Landscape

  • This field is hidden when viewing the form
  • This field is hidden when viewing the form
  • This field is hidden when viewing the form
  • This field is hidden when viewing the form
  • This field is hidden when viewing the form
  • This field is hidden when viewing the form
  • This field is hidden when viewing the form
  • This field is hidden when viewing the form