HomeUpdateTrickBot Checks Screen Resolution to Avoid Detection with a twist

TrickBot Checks Screen Resolution to Avoid Detection with a twist


Last Updated on 01/12/2021 by Sunaina

It’s nothing new for TrickBot operators to try to avoid detection and analysis by checking the screen resolution of a victim’s system. The TrickBot gang only a year ago added a new feature to its malware that terminated infection chains if non-standard screen resolutions were detected on the devices.

A threat hunter and Cryptolaemus security group member recently discovered an HTML attachment containing a bogus insurance purchase alert. In a virtual environment, the spam email downloads a ZIP archive for a physical system and redirects victims to the American Broadcasting Company (ABC) website. The script differentiates between them by determining whether the web browser employs a software renderer such as SwiftShader, VirtualBox, or LLVMpipe, which usually implies the use of a virtual machine. In addition, the script examines the colour depth, height, and width of a screen.

Researchers claim that this is the first time a gang has used a script in an HTML attachment to check for screen resolution.

When you open the email attachment in your default web browser, the HTML file from the campaign is launched. A message appears informing users that the document is being loaded. It then requests a password to gain access to it. The infection chain on a regular user’s machine begins with the download of a ZIP archive containing the TrickBot executable. This method of downloading malware is known as HTML smuggling, and it works by including JavaScript code encoded in an HTML file, which bypasses a browser’s content filters and sneaks malicious files onto a compromised system.

TrickBot operators are now using device screen resolutions to determine whether the targeted environment is virtual or not. Organizations need a tool that can examine files based on their behaviour and deliver reports on significant system changes to stay protected from such threats.

A tech enthusiast, with a mission to report data breaches, fraudulent practices, dark pattern practices, and updates. She is also frequently fascinated by fintech and unicorns.
- Advertisment -

Must Read

RAT (Remote Access Trojan) Developer arrested for building malware that affected...

Law enforcement authorities have arrested a remote access trojan (RAT) developer for infecting around 10,000 computers with malware. The suspect, who has not been...