The TrickBot and Emotet Trojans have started to add text from Coronavirus news stories to attempt to bypass security software using artificial intelligence and machine learning to detect malware.
Before malware is distributed in phishing campaigns or other attacks, developers commonly use a program called a ‘crypter’ to obfuscate or encrypt the malicious code.
This is done in the hopes that it makes the malware appear to be harmless and thus FUD (Fully UnDetectable) to antivirus software.
This was shown to be particularly useful against security software that utilizes machine-learning or artificial intelligence to detect malicious programs.
TrickBot, Emotet uses text from Coronavirus news stories
In January 2020, it was discovered that crypters for the TrickBot and Emotet Trojans were using text from news stories about President Trump’s impeachment.
This week, BleepingComputer discovered that the crypters for TrickBot and Emotet have switched to news stories about the Coronavirus pandemic.
This information is then shown in the Details tab of the malware’s properties as shown below.
It is not known if the use of these strings has been of any benefit to the threat actors, but Vitali Kremez, Head of SentinelLabs, thinks it could be useful against AI/ML security engines.
“By and large, the Coronavirus strings being used by the malware crypter generator deploy public news content as a methodology to frustrate certain machine learning static file parser methodologies. This “goodware” string addition technique allows the criminal crypter operators to create crypted binaries that might allow bypasses of AI/ML engines of certain anti-virus products as it was proved in the Cylance bypass method,” Kremez told BleepingComputer via email.
Everyone should be wary of any emails that they receive, especially those with unsolicited attachments about the Coronavirus.
Update 3/18/20: MalwareHunterTeam told BleepingComputer that this change started about a month ago.
This content was originally published here.