A
shellcode-based
packer
dubbed
TrickGate
has
been
successfully
operating
without
attracting
notice
for
over
six
years,
while
enabling
threat
actors
to
deploy
a
wide
range
of
malware
such
as
TrickBot,
Emotet,
AZORult,
Agent
Tesla,
FormBook,
Cerber,
Maze,
and
REvil
over
the
years.
“TrickGate
managed
to
stay
under
the
radar
for
years
because
it
is
transformative
–
it
undergoes
changes
periodically,”
Check
Point
Research’s
Arie
Olshtein
said,
calling
it
a “master
of
disguises.”
Offered
as
a
service
to
other
threat
actors
since
at
least
late
2016,
TrickGate
helps
conceal
payloads
behind
a
layer
of
wrapper
code
in
an
attempt
to
get
past
security
solutions
installed
on
a
host.
Packers
can
also
function
as
crypters
by
encrypting
the
malware
as
an
obfuscation
mechanism.
“Packers
have
different
features
that
allow
them
to
circumvent
detection
mechanisms
by
appearing
as
benign
files,
being
difficult
to
reverse
engineer,
or
incorporating
sandbox
evasion
techniques,”
Proofpoint
noted
in
December
2020.
But
the
frequent
updates
to
the
commercial
packer-as-a-service
meant
TrickGate
has
been
tracked
under
various
names
such
as
new
loader,
Loncom,
and
NSIS-based
crypter
since
2019.
Telemetry
data
gathered
by
Check
Point
indicates
that
the
threat
actors
leveraging
TrickGate
have
primarily
singled
out
the
manufacturing
sector,
and
to
a
lesser
extent,
education,
healthcare,
government,
and
finance
verticals.
The
most
popular
malware
families
used
in
the
attacks
in
the
past
two
months
include
FormBook,
LokiBot,
Agent
Tesla,
Remcos,
and
Nanocore,
with
significant
concentrations
reported
in
Taiwan,
Turkey,
Germany,
Russia,
and
China.
The
infection
chain
involves
sending
phishing
emails
with
malicious
attachments
or
booby-trapped
links
that
lead
to
the
download
of
a
shellcode
loader
that’s
responsible
for
decrypting
and
launching
the
actual
payload
into
memory.
The
Israeli
cybersecurity
firm’s
analysis
of
the
shellcode
shows
that
it “has
been
constantly
updated,
but
the
main
functionalities
exist
on
all
the
samples
since
2016,”
Olshtein
noted. “The
injection
module
has
been
the
most
consistent
part
over
the
years
and
has
been
observed
in
all
TrickGate
shellcodes.”
