• Initially observed in July 2016, TrickGate is a shellcode-based packer offered as a service to hide malware from EDRs and antivirus programs.
• Over the last 6 years, TrickGate was used to deploy the top members of the “Most Wanted Malware” list, such as Cerber, Trickbot, Maze, Emotet, REvil, Cobalt Strike, AZORult, Formbook, AgentTesla and more.
• TrickGate managed to stay under the radar for years because it is transformative – it undergoes changes periodically. This characteristic caused the research community to identify it by numerous attributes and names.
• While the packer’s wrapper changed over time, the main building blocks within TrickGate shellcode are still in use today.
• Check Point Threat Emulation successfully detects and blocks the TrickGate packer.

Key Findings:

• The use of Microsoft OneNote documents to deliver malware via email is increasing.
• Multiple cybercriminal threat actors are using OneNote documents to deliver malware.
• While some campaigns are targeted at specific industries, most are broadly targeted and include thousands of messages.
• In order to detonate the payload, an end-user must interact with the OneNote document.
• Campaigns have impacted organizations globally, including North America and Europe.
• TA577 returned from a month-long hiatus in activity and began using OneNote to deliver Qbot at the end of January 2023.