HQ/EMEAFind out how we can help your business
A packer-as-a-service dubbed TrickGate has dominated its competitors since 2016. Some researchers claimed that this payload carrier had lost its dominance since its operation had allegedly shut down. However, a recent investigation saw a TrickGate activity this past few years.
A researcher recorded about 40 to 650 attacks that involved TrickGate per week in the last couple of years. These attacks span different countries, but most prioritised Turkey and Taiwan.
The most targeted industries by the TrickGate operators are the manufacturing sector, academic institutions, healthcare firms, and financial institutions. From October to November last year, researchers recorded that this PaaS’s most distributed malware strains were Formbook, AgentTesla, Remcos, and Nanocore.
Since its appearance in 2016, numerous researchers have identified high-profile malware strains that employed TrickGate’s services. The most well-known strains that used this PaaS are Cobalt Strike, Emote, REvil and TrickBot.
Threat groups that employed the TrickGate service have followed the same method to run their operations.
According to investigations, TrickGate employers have commonly used phishing emails containing malicious attachments to gain initial access.
The first stage of the attached files included executables or other file types that lead to the same shellcode. Subsequently, the shellcode loader is the one to decrypt and load the shellcode into a targeted memory.
Next, the malicious email will deploy another shellcode that serves as the packer’s core. Moreover, it is in charge of decrypting the payload and elusively injecting it into a new process.
Finally, the primary payload is the last phase of the attack and the actual malicious code. It will be the one to carry out the primary objective of the malicious operation, which the threat actor has set.
TrickGate has become an attractive service for numerous hackers since it is a master of disguise, and well-known threat groups like Emotet endorsed it.
This PaaS has successfully evaded cybersecurity detections since it has gone through various updates and includes transformative capabilities. Furthermore, it has constantly improved its features by utilising custom functions, exploiting Callback mechanisms, and other vulnerabilities.
