TrickBot malware returns with some devious new tools

News
By
published

TrickBot now checks an infected device's screen resolution to see if its running in a virtual machine

(Image credit: Pixabay)

A new sample of TrickBot has been discovered which checks the screen resolution of victim's machines in order to see if the malware is running inside a virtual machine.

In order to protect themselves and their systems when analyzing malware, security researchers often do so in a virtual machine. As a result of this, malware often employs anti-VM techniques to detect whether or not it is running in a virtual machine.

The anti-VM techniques used by malware include looking for particular processes, windows services, machine names and checking network card MAC addresses or CPU features.

If malware detects that it is indeed running in a virtual machine, it will stop its operations to avoid giving researchers further clues into how it works and who deployed it in the first place.

Screen resolution

Maciej Kotowicz from the cybersecurity firm MalwareLab found a new sample of the TrickBot Trojan that checks an infected computer's screen resolution to determine if it's a virtual machine.

TrickBot originally started out as a banking trojan but the malware has evolved to perform other malicious behavior including spreading laterally through a network, stealing saved credentials in browsers, stealing cookies and more.

Kotowicz first made his discovery public in a Tweet in which he revealed that a new sample of TrickBot is checking infected machines to see if they have a resolution of 800x600 or 1024x768. If either of these resolutions is found, TrickBot will stop running.

The reason the malware is checking for these two resolutions in particular is due to how researchers configure the virtual machines they use to analyze malware. When setting up a virtual machine, most researchers will not install the VM guest software that would allow them to use higher resolutions. Without this software installed, a virtual machine will usually not allow any resolutions other than 800x600 and 1024x768.

While unfortunate for researchers studying malware, this new anti-VM check is actually quite clever and hopefully other malware developers don't follow suit and add this feature to their malicious software.

Via BleepingComputer

TOPICS
Anthony Spadafora
Anthony Spadafora

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home. 

Latest in Security
Woman shocked by online scam, holding her credit card outside
Cybercriminals used vendor backdoor to steal almost $600,000 of Taylor Swift tickets
Woman using iMessage on iPhone
UK government guidelines remove encryption advice following Apple backdoor spat
Cryptocurrencies
Ransomware’s favorite Russian crypto exchange seized by law enforcement
Wordpress brand logo on computer screen. Man typing on the keyboard.
Thousands of WordPress sites targeted with malicious plugin backdoor attacks
HTTPS in a browser address bar
Malicious "polymorphic" Chrome extensions can mimic other tools to trick victims
ransomware avast
Hackers spotted using unsecured webcam to launch cyberattack
Latest in News
Apple iPhone 16 Review
Three iPhone 17 model dummy units appear in a hands-on video leak
The Samsung Galaxy S25 Edge on display the January 22, 2025 Galaxy Unpacked event.
New Samsung Galaxy S25 Edge may have revealed some key details – including its price
Quordle on a smartphone held in a hand
Quordle hints and answers for Sunday, March 9 (game #1140)
NYT Strands homescreen on a mobile phone screen, on a light blue background
NYT Strands hints and answers for Sunday, March 9 (game #371)
NYT Connections homescreen on a phone, on a purple background
NYT Connections hints and answers for Sunday, March 9 (game #637)
WhatsApp
WhatsApp just made its AI impossible to avoid – but at least you can turn it off
More about security
Woman shocked by online scam, holding her credit card outside

Cybercriminals used vendor backdoor to steal almost $600,000 of Taylor Swift tickets
Cryptocurrencies

Ransomware’s favorite Russian crypto exchange seized by law enforcement
Workplace AI Adoption

ChatGPT remains the most popular AI tool in offices worldwide, survey finds, with India leading the way
See more latest
Most Popular
Workplace AI Adoption
ChatGPT remains the most popular AI tool in offices worldwide, survey finds, with India leading the way
Lexar ARMOR GOLD and SILVER PRO
Almost indestructible memory card launched; Lexar's Armor SD steel cards are water resistant and can survive a 16-feet drop
IBM FlashSystem C200
'Writing is on the wall for spinning rust': IBM joins Pure Storage in claiming disk drives will go the way of the dodo in enterprises
Disney Imagineering BDX Droids at Disneyland Galaxy's Edge
The adorable BDX Droids are coming to more Disney Parks around the world, including Disney World
Orange servers and networks
Alibaba doubles down on RISC-V architecture with a new secretive 'server-grade' chip that will put AMD and Intel on alert
Apple iPhone 16 Review
Three iPhone 17 model dummy units appear in a hands-on video leak
Samsung Galaxy S25 Ultra HANDS ON
‘I don't see a space where the S Pen is not a key part of our portfolio’: Samsung executive defends the S Pen amid cancellation rumors
NYT Strands homescreen on a mobile phone screen, on a light blue background
NYT Strands hints and answers for Sunday, March 9 (game #371)
Quordle on a smartphone held in a hand
Quordle hints and answers for Sunday, March 9 (game #1140)
NYT Connections homescreen on a phone, on a purple background
NYT Connections hints and answers for Sunday, March 9 (game #637)