Select Page

A shellcode-based packer dubbed TrickGate has been successfully operating without attracting notice for over six years, while enabling threat actors to deploy a wide range of malware such as TrickBot, Emotet, AZORult, Agent Tesla, FormBook, Cerber, Maze, and REvil over the years.

“TrickGate managed to stay under the radar for years because it is transformative – it undergoes changes periodically,” Check Point Research’s Arie Olshtein said, calling it a “master of disguises.”

Offered as a service to other threat actors since at least late 2016, TrickGate helps conceal payloads behind a layer of wrapper code in an attempt to get past security solutions installed on a host. Packers can also function as crypters by encrypting the malware as an obfuscation mechanism.

“Packers have different features that allow them to circumvent detection mechanisms by appearing as benign files, being difficult to reverse engineer, or incorporating sandbox evasion techniques,” Proofpoint noted in December 2020.

But the frequent updates to the commercial packer-as-a-service meant TrickGate has been tracked under various names such as new loaderLoncom, and NSIS-based crypter since 2019.

images from Hacker News