Trickbot, Emotet Malware Use Coronavirus News to Evade Detection

Trickbot, Emotet Malware Use Coronavirus News to Evade Detection

The TrickBot and Emotet Trojans have started to add text from Coronavirus news stories to attempt to bypass security software using artificial intelligence and machine learning to detect malware.

Before malware is distributed in phishing campaigns or other attacks, developers commonly use a program called a ‘crypter’ to obfuscate or encrypt the malicious code.

This is done in the hopes that it makes the malware appear to be harmless and thus FUD (Fully UnDetectable) to antivirus software.

This was shown to be particularly useful against security software that utilizes machine-learning or artificial intelligence to detect malicious programs.

TrickBot, Emotet uses text from Coronavirus news stories

In January 2020, it was discovered that crypters for the TrickBot and Emotet Trojans were using text from news stories about President Trump’s impeachment.

This week, BleepingComputer discovered that the crypters for TrickBot and Emotet have switched to news stories about the Coronavirus pandemic.

For example, TrickBot samples seen by BleepingComputer utilizes strings taken from CNN news stories as part of the malware’s file description.

We also saw an Emotet sample that uses strings from a CNN news story for its file information.

This information is then shown in the Details tab of the malware’s properties as shown below.

File properties for new TrickBot and Emotet samples
File properties for new TrickBot and Emotet samples

It is not known if the use of these strings has been of any benefit to the threat actors, but Vitali Kremez, Head of SentinelLabs, thinks it could be useful against AI/ML security engines.

“By and large, the Coronavirus strings being used by the malware crypter generator deploy public news content as a methodology to frustrate certain machine learning static file parser methodologies. This “goodware” string addition technique allows the criminal crypter operators to create crypted binaries that might allow bypasses of AI/ML engines of certain anti-virus products as it was proved in the Cylance bypass method,” Kremez told BleepingComputer via email.

The use of Coronavirus (COVID-19) as part of malware attacks has steeply increased since the outbreak with new phishing scams, ransomware, and malware being deployed.

Everyone should be wary of any emails that they receive, especially those with unsolicited attachments about the Coronavirus.

Update 3/18/20: MalwareHunterTeam told BleepingComputer that this change started about a month ago.

This content was originally published here.

Laat een reactie achter

Het e-mailadres wordt niet gepubliceerd.