The malware has added an anti-debugging tool that crashes browser tabs when researchers use code beautifying for analysis.
Trojan titan TrickBot has added a striking anti-debugging feature that detects security analysis and crashes researcher browsers before its malicious code can be analyzed.
The new anti-debugging feature was discovered by Security Intelligence analysts with IBM, who reported the emergence of a variety of TrickBot tactics aimed at making the job of security researcher more difficult, including server-side injection delivery and secure communications with the command-and-control (C2) server to keep code protected.
IBM’s intelligence team found TrickBot’s script detects analysis whenever a code “beautifying” tool is applied to make the code more easily readable with human eyes. Once TrickBot detects the beautifier, it kicks in a memory-overload reaction to crash the researcher’s tab.
“TrickBot uses a RegEx to detect the beautified setup and throw itself into a loop that increases the dynamic array size on every iteration,” the report said. “After a few rounds, memory is eventually overloaded, and the browser crashes.”
TrickBot’s Messy Code
Further, the researchers found that TrickBot intentionally makes its code “messy,” in order to force analysts to have to