Quotidien Shaarli

.NET malware loaders distributed through malvertising are using obfuscated virtualization for anti-analysis and evasion in an ongoing campaign.

During Q4 2022, WithSecure™ detected and responded to a cyber attack conducted by a threat actor that WithSecure™ have attributed with high confidence to an intrusion set referred to as Lazarus Group. Attribution with high confidence was based off of overlapping techniques tactics and procedures as well as an operational security mistake by the threat actor. Amongst technical indications, the incident observed by WithSecure™ also contains characteristics of recent campaigns attributed to Lazarus Group by other researchers.

• Initially observed in July 2016, TrickGate is a shellcode-based packer offered as a service to hide malware from EDRs and antivirus programs.
• Over the last 6 years, TrickGate was used to deploy the top members of the “Most Wanted Malware” list, such as Cerber, Trickbot, Maze, Emotet, REvil, Cobalt Strike, AZORult, Formbook, AgentTesla and more.
• TrickGate managed to stay under the radar for years because it is transformative – it undergoes changes periodically. This characteristic caused the research community to identify it by numerous attributes and names.
• While the packer’s wrapper changed over time, the main building blocks within TrickGate shellcode are still in use today.
• Check Point Threat Emulation successfully detects and blocks the TrickGate packer.