It’s nothing new for TrickBot operators to try to avoid detection and analysis by checking the screen resolution of a victim’s system. The TrickBot gang only a year ago added a new feature to its malware that terminated infection chains if non-standard screen resolutions were detected on the devices.
A threat hunter and Cryptolaemus security group member recently discovered an HTML attachment containing a bogus insurance purchase alert. In a virtual environment, the spam email downloads a ZIP archive for a physical system and redirects victims to the American Broadcasting Company (ABC) website. The script differentiates between them by determining whether the web browser employs a software renderer such as SwiftShader, VirtualBox, or LLVMpipe, which usually implies the use of a virtual machine. In addition, the script examines the colour depth, height, and width of a screen.
Researchers claim that this is the first time a gang has used a script in an HTML attachment to check for screen resolution.
TrickBot operators are now using device screen resolutions to determine whether the targeted environment is virtual or not. Organizations need a tool that can examine files based on their behaviour and deliver reports on significant system changes to stay protected from such threats.