31 January 2023

Six-year-old TrickGate software service used to deploy Emotet, REvil, Maze malware


Six-year-old TrickGate software service used to deploy Emotet, REvil, Maze malware

A malicious live software service called TrickGate has been used by threat actors to bypass endpoint detection and response (EDR) protection software and antivirus programs for over six years.

First spotted in July 2016, TrickGate is a shellcode-based packer offered as a service, which over the past several years was used to deploy various types of malware, such as ransomware, RATs, info-stealers, bankers, and miners, including Cerber, Trickbot, Maze, Emotet, REvil, Cobalt Strike, AZORult, Formbook, CoinMiner, Remcos, Lokibot, and AgentTesla. Furthermore, the service is regularly used by state-sponsored hacker groups to wrap their malicious code to prevent detection by security solutions.

“TrickGate managed to stay under the radar for years because it is transformative – it undergoes changes periodically. This characteristic caused the research community to identify it by numerous attributes and names. While the packer’s wrapper changed over time, the main building blocks within TrickGate shellcode are still in use today,” Check Point research team explains.

“By using a packer, malicious actors can spread their malware more easily with fewer repercussions. One of the main characteristics of a commercial Packer-as-a-Service is that it doesn’t matter what the payload is, which means it can be used to pack many different malicious samples. Another important characteristic of the packer is that it is transformative – the packer’s wrapper is changed on a regular basis which enables it to remain invisible to security products.”

The researchers estimate that during past two years threat actors conducted between 40 and 650 attacks per week using TrickGate mainly targeting victims in manufacturing sector, but also in education, healthcare, and finance sectors.

The attacks are distributed all over the world, with an increased concentration in Taiwan and Turkey. The most popular malware family used in the last 2 months is Formbook with 42% of the total tracked distribution, Check Point says.

The researchers were not able to link the service to any particular country, but they believe that, based on the serviced customers, it is a Russian-speaking underground gang.


Back to the list

Latest Posts

Threat actors abusing Foxit PDF Reader flaw to deploy multiple malware variants

Threat actors abusing Foxit PDF Reader flaw to deploy multiple malware variants

The flaw involves Foxit PDF Reader's handling of pop-up messages.
20 May 2024
China-linked APT group uses malware to spy on commercial shipping

China-linked APT group uses malware to spy on commercial shipping

Mustang Panda infiltrated the computer systems of cargo shipping companies in Norway, Greece, and the Netherlands.
20 May 2024
The Grandoreiro malware is back up and running after January disruption

The Grandoreiro malware is back up and running after January disruption

Grandoreiro now targets over 1,500 banks worldwide, spanning more than 60 countries across Central and South America, Africa, Europe, and the Indo-Pacific region.
20 May 2024