A shellcode-based packer dubbed TrickGate has been successfully operating without attracting notice for over six years, while enabling threat actors to deploy a wide range of malware such as TrickBot, Emotet, AZORult, Agent Tesla, FormBook, Cerber, Maze, and REvil over the years.
“TrickGate managed to stay under the radar for years because it is transformative – it undergoes changes periodically,” Check Point Research’s Arie Olshtein said, calling it a “master of disguises.”
Offered as a service to other threat actors since at least late 2016, TrickGate helps conceal payloads behind a layer of wrapper code in an attempt to get past security solutions installed on a host. Packers can also function as crypters by encrypting the malware as an obfuscation mechanism.
“Packers have different features that allow them to circumvent detection mechanisms by appearing as benign files, being difficult to reverse engineer, or incorporating sandbox evasion techniques,” Proofpoint noted in December 2020.
But the frequent updates to the commercial packer-as-a-service meant TrickGate has been tracked under various names such as new loader, Loncom, and NSIS-based crypter since 2019.
Telemetry data gathered by Check Point indicates that the threat actors leveraging TrickGate have primarily singled out the manufacturing sector, and to a lesser extent, education, healthcare, government, and finance verticals.
The most popular malware families used in the attacks in the past two months include FormBook, LokiBot, Agent Tesla, Remcos, and Nanocore, with significant concentrations reported in Taiwan, Turkey, Germany, Russia, and China.
The infection chain involves sending phishing emails with malicious attachments or booby-trapped links that lead to the download of a shellcode loader that’s responsible for decrypting and launching the actual payload into memory.
The Israeli cybersecurity firm’s analysis of the shellcode shows that it “has been constantly updated, but the main functionalities exist on all the samples since 2016.” Olshtein noted “the injection module has been the most consistent part over the years and has been observed in all TrickGate shellcodes.”