Check Point Research (CPR) recently reported on a live software service, dubbed TrickGate, that has been used by malicious threat actors for over six years. TrickGate is essentially a packer that allows cybercriminals to carry out malicious activities, such as deploying malicious code by evading antivirus checks.
According to researchers, there are a few key points that allow a packer such as TrickGate to remain efficient and undetectable for so many years.
First, a packer can contain any kind of payload, and since it is not limited to any single one, it can also be used to pack many different malicious samples.
Secondly, a packer’s inherent nature allows for changes to its wrapper on a regular basis, which enables it to evade detection from security products.
However, CPR was able to connect the dots from prior research and ended up finding a single operation that appeared to be offered as a service. Their research suggests that numerous threat actors from groups such as Cerberus, Emotet, REvil, Maze, Cerber, HawkEye, AZORult, Formbook, Remcos, LokiBit, AgentTesla and more exploited the service to deploy malware.
The advisory further estimates that, during the last two years, threat actors have used TrickGate to conduct 40 to 60 attacks per week. The majorly targeted industry was manufacturing, but others such as education, healthcare, finance, and business enterprises were also affected.
“The attacks are distributed all over the world, with an increased concentration in Taiwan and Turkey. The most popular malware family used in the last 2 months is Formbook with 42% of the total tracked distribution,” CPR wrote in its report.
Going into technical depth, CPR security researcher Arie Olshtein explained that the entire attack flow of TrickGate shows that the malicious program is first encrypted and then packed with a special routine. It is designed to prevent the system from detecting the payload statically and at run-time.
CPR’s advisory concludes with the need for more attention to unravelling the packer’s building blocks since they provide a way to detect the threat at an early stage. The only way to tackle a hacker’s transformative abilities is by giving them the same attention that is given to actual malware. Researchers can now use the identified packer, TrickGate, as a focal point to detect new or unknown malware.