Packers are becoming an increasingly important tool for cybercriminals to use in committing illegal acts. On hacker forums, the packer is sometimes referred to as “Crypter” and “FUD”…” Its main function is to make it more difficult for antivirus systems to identify malicious code. Malicious actors can spread their malware faster and with fewer consequences when they use a packer. It doesn’t matter what the payload is, which is one of the main qualities of a commercial Packer-as-a-Service, which means it can be used to pack a variety of different harmful samples. This opens up many opportunities for cybercriminals. Another key quality of the packer is that it is transformative. Because the baler wrap is changed frequently, it can avoid detection by devices designed to enhance security.
According to Checkpoint, TrickGate is an excellent illustration of a robust and resilient packer-as-a-service. It has been able to fly under the radar of cyber security researchers for several years now and is constantly improving in a variety of different ways.
Although a lot of study was done on the packer itself, TrickGate is a master of disguise and has been given a number of different titles due to the fact that it has so many different features. It has been given various names, including “TrickGate”, “Emotet packer”, “new loader”, “Loncom”, and “NSIS-based encryptor”.
In late 2016, they made our first observation of TrickGate. During that time, it was used to spread the Cerber malware. Since then, they have been constantly researching TrickGate and have discovered that it is used to spread many forms of malicious software tools, including ransomware, RATs, information stealers, bankers, and miners. It has come to their attention that a significant number of APT organizations and threat actors often use TrickGate to wrap their malicious code in order to evade detection by security solutions. Some of the most widely known and distributed malware families have been wrapped by TrickGate, including Cerber, Trickbot, Maze, Emotet, REvil, CoinMiner, Cobalt Strike, DarkVNC, BuerLoader, HawkEye, NetWire, AZORult, Formbook, Remcos, Lokibot, AgentTesla and many more.
There is a tremendous margin of variation in the first access made by users of the baler. They keep an eye on bundled samples that are mainly spread via phishing emails that include malicious attachments, as well as via malicious URLs.
The shellcode loader is the second step, and it is this stage that is responsible for decrypting and executing the shellcode.
There were three different programming languages used for the shellcode loader, as they found out. Similar functionality can be achieved through the use of NSIS scripts, AutoIT scripts, and C. The wrapper revolves around shellcode as its core component. Decrypting the payload and then covertly inserting it into a new process is the responsibility of this component. The payload is the actual code that is malicious and is responsible for carrying out the action that is supposed to be malicious. The payloads are different for each actor due to how they used the wrapper.
It’s fascinating to see how TrickGate makes direct system calls, as it employs a similar method to Hell’s Gate. Hell’s Gate is a method that was first shown publicly in 2020 as a mechanism to dynamically get and execute system call direct numbers.
They produced strings correlating the most wanted malware for the past six years with a unique Packer-as-a-Service called TrickGate. TrickGate’s morphing abilities make it difficult to detect and monitor, which is why they had to build these chains. When it comes to identifying a hazard, it is essential to have a solid understanding of the components that make up the packer. This is because stopping the packer will provide protection against the threat at an earlier stage, before the payload starts executing.
Researchers tend to focus their attention on the actual malware, leaving only the packer’s code, which results in the packers receiving less attention than they otherwise would. With packager detected on the other hand it can now be used as a focus point to identify new or previously unrevealed forms of malware.
He is a well-known expert in mobile security and malware analysis. He studied Computer Science at NYU and started working as a cyber security analyst in 2003. He is actively working as an anti-malware expert. He has also worked for security companies such as Kaspersky Lab. His daily work includes investigating new malware and cybersecurity incidents. He also has a deep level of knowledge in mobile security and mobile vulnerabilities.
Send news tips to [email protected] or www.instagram.com/iicsorg/
You can also find us on Telegram www.t.me/noticiasciberseguridad