Hackers Use TrickGate Software to Deploy Emotet, REvil, Other Malware

A malicious live software service named TrickGate has been used by threat actors to bypass endpoint detection and response (EDR) protection software for over six years.

The findings come from Check Point Research (CPR), who shared them with Infosecurity earlier today. Described in a new advisory, the research also suggests that several threat actors from groups such as Emotet, REvil, Maze and more exploited the service to deploy malware.

More specifically, CPR estimated that, throughout the last two years, threat actors conducted between 40 and 650 attacks per week using TrickGate. Victims were located mainly in the manufacturing sector but also in education, healthcare, finance and business enterprises.

“The attacks are distributed all over the world, with an increased concentration in Taiwan and Turkey," CPR wrote. "The most popular malware family used in the last two months is Formbook, marking 42% of the total tracked distribution.”

According to CPR, TrickGate managed to stay under the radar for years due to its transformative property of undergoing periodic changes.

“While the packer's wrapper changed over time, the main building blocks within TrickGate shellcode are still in use today,” reads the advisory.

From a technical standpoint, CPR security researcher Arie Olshtein wrote that the malicious program is encrypted and then packed with a special routine, which is in turn designed to bypass the protected system to prevent systems from detecting the payload statically and on run-time.

Further, CPR malware research and protection group manager Ziv Huyan told Infosecurity that the team managed to connect the dots from previous research and point to a single operation that seemed to be offered as a service.

“The fact that many of the biggest threat actors in recent years have been choosing TrickGate as a tool to overcome defensive systems, is remarkable,” Huyan explained.

“We monitored the appearance of TrickGate, written by utilizing different types of code language and using different file types. But the core flow remained relatively stable. The same techniques used six years ago are still in use today.”

Another piece of malware designed to evade detection is SparkRAT, which was recently deployed by the DragonSpark group to target East Asian organizations.

What’s Hot on Infosecurity Magazine?