Last Updated on 01/12/2021 by Sunaina
It’s nothing new for TrickBot operators to try to avoid detection and analysis by checking the screen resolution of a victim’s system. The TrickBot gang only a year ago added a new feature to its malware that terminated infection chains if non-standard screen resolutions were detected on the devices.
A threat hunter and Cryptolaemus security group member recently discovered an HTML attachment containing a bogus insurance purchase alert. In a virtual environment, the spam email downloads a ZIP archive for a physical system and redirects victims to the American Broadcasting Company (ABC) website. The script differentiates between them by determining whether the web browser employs a software renderer such as SwiftShader, VirtualBox, or LLVMpipe, which usually implies the use of a virtual machine. In addition, the script examines the colour depth, height, and width of a screen.
Researchers claim that this is the first time a gang has used a script in an HTML attachment to check for screen resolution.
When you open the email attachment in your default web browser, the HTML file from the campaign is launched. A message appears informing users that the document is being loaded. It then requests a password to gain access to it. The infection chain on a regular user’s machine begins with the download of a ZIP archive containing the TrickBot executable. This method of downloading malware is known as HTML smuggling, and it works by including JavaScript code encoded in an HTML file, which bypasses a browser’s content filters and sneaks malicious files onto a compromised system.
TrickBot operators are now using device screen resolutions to determine whether the targeted environment is virtual or not. Organizations need a tool that can examine files based on their behaviour and deliver reports on significant system changes to stay protected from such threats.