Check Point Research (CPR) has spotted a live software service that has been helping threat actors bypass EDRs (Endpoint Detection & Response) protection for over six years.
Named “Trickgate”, the service has customers including well-known actors such as Cerber, Trickbot, Maze, Emotet, REvil, Cobalt Strike, AZORult, Formbook, AgentTesla and more.
TrickGate managed to stay under the radar for years due to its transformative property of undergoing periodic changes. While the packer’s wrapper changed over time, the main building blocks within TrickGate shellcode are still in use today.
Victims
CPR monitored between 40 to 650 attacks per week throughout the last two years. According to its telemetry, the threat actors using TrickGate primarily target the manufacturing sector, but also attack education facilities, healthcare, finance, and business enterprises.
The attacks are distributed all over the world, with an increased concentration in Taiwan and Turkey. The most popular malware family used in the last two months is Formbook, marking 42% of the total tracked distribution.
Attack Flow
There are many forms of attack flow. The shellcode is the core of the TrickGate packer. It is responsible for decrypting the harmful instructions and code and stealthily injecting it into new processes.
The malicious program is encrypted and then packed with a special routine designed for bypassing the protected system so many can’t detect the payload statically and on run-time.
Attribution
CPR did not manage to get a clear affiliation and assumes, based on the serviced customers, that it is a Russian-speaking underground gang.
“TrickGate is a master of disguises,” says Ziv Huyan, malware research and protection group manager at Check Point Software. “It has been given many names based on its varied attributes, including, ‘Emotet’s packer’, ‘new loader’, ‘Loncom’, ‘NSIS-based crypter’ and more. We connected the dots from previous research and with high confidence point to a single operation that seems to be offered as a service.
“The fact that many of the biggest threat actors in recent years have been choosing TrickGate as a tool to overcome defensive systems is remarkable,” Huyan adds. “Simply put, TrickGate has incredible techniques of masquerading and evasion. We monitored the appearance of TrickGate written by utilising different types of code language and using different file types. But the core flow remained relatively stable. The same techniques used six years ago are still in use today.”