TrickBot Malware Now Checks Screen Resolution To Evade Analysis – Expert Reaction

By   ISBuzz Team
Writer , Information Security Buzz | Jul 02, 2020 02:00 am PST

The infamous TrickBot trojan has started to check the screen resolutions of victims to detect whether the malware is running in a virtual machine. When researchers analyze malware, they typically do it in a virtual machine that is configured with various analysis tools. Due to this, malware commonly uses anti-VM techniques to detect whether the malware is running in a virtual machine. If it is, it is most likely being analyzed by a researcher or an automated sandbox system. These anti-VM techniques include looking for particular processes, Windows services, or machine names, and even checking network card MAC addresses or CPU features.

Notify of
1 Expert Comment
Oldest Most Voted
Inline Feedbacks
View all comments
Tarik Saleh
Tarik Saleh , Senior Security Engineer and Malware Researcher
July 2, 2020 10:01 am

TrickBot is a financial trojan that typically gets dropped by a maldoc spam campaign. It harvests credentials through the Mimikatz tool, using the man-in-the-browser technique and what not. It is modular and constantly being updated and has been tied in the past to the Ryuk ransomware and being used to drop other tools. Their usual move of sending spam mailers tied to current events and try to get people to open documents and enable macros that then drop the next payload. This latest development which checks whether the malware is being analysed via checking screen resolution will make it even more difficult for security teams to detect and mitigate the effects of TrickBot. The best advice for employees is to exert extreme caution when downloading anything that seems suspicious in over to avoid malware exfiltration in the first place.

Last edited 3 years ago by Tarik Saleh

Recent Posts

Would love your thoughts, please comment.x