The infamous TrickBot malware has now adopted another evasive feature to escape security checks. As observed in the recent phishing campaigns, TrickBot checks the device’s screen resolution to detect VMs and bypass security analyses.
TrickBot Now Checks Screen Resolution
Reportedly, a threat hunter, TheAnalyst, has caught a new TrickBot phishing campaign where the malware exhibits strengthened capabilities. As observed, TrickBot now checks for screen resolution of the target devices to detect virtual machines.
According to Bleeping Computer, the threat actors added this feature in the malware last year. It would precisely look for non-standard resolutions such as 800×600 and 1024×768.
Now, it seems this capability has been forwarded to the HTML attachment level in a phishing message as it “behaves differently” upon reaching VMs. While the attachment downloads a malicious attachment on a regular target device, on VMs, it would redirect to “abc.com”.
Interesting #TrickBot gtag rob139. Obfuscated HTML attachment with encrypted zip with obfuscated js in blob (HTML smuggling). HTML redirects to /abc.com if it doesn't like the browser. JS > PS > EXE. EXE requires vcredist to run.https://t.co/FQBApWcQzjhttps://t.co/jSuKEhHfNc pic.twitter.com/yamrH9L13C
— TheAnalyst (@ffforward) November 22, 2021
In this way, it strives to escape detection by security analysts.
However, for regular systems, clicking on the malicious attachment would execute the payload via “HTML smuggling”.
Recently, another phishing campaign targeting the banking sector drew attention for a similar HTML Smuggling trick.
Watch Out For Phishing Emails
Despite being highlighted now and then, phishing emails continue to be the most successful means of deploying malware. That’s because it mainly requires email crafting sophistication for the attackers to lure users. Most regular users miss out on the obvious identifications for phishing messages (such as a weird sender email ID, unclear subject lines, embedded links within the email body), so they are likely to click on malicious emails and attachments. That’s what users should improve on their end.
The key to preventing such phishing attacks is always to avoid clicking on email messages randomly. No matter how genuine an incoming email seems, users should never open it unless they are confident of receiving the supposed message.
Even if the email impersonates a bank, it’s ideal to contact the bank officials directly via other means (such as a phone number or an alternate email address) to verify the message’s legitimacy. While it can be a burdensome job, it’s better to be safe than sorry.