The developers of the popular TrickBot Trojan have added a dangerous new feature. According to experts in secure data erasure, this malware is now able to verify the resolution of the victim’s screen to detect if the malware is running on a virtual machine. Virtual machine scanning is a very common technique for preventing cyberattacks.
Malware developers employ multiple techniques to detect whether malware is running on a virtual machine. If so, it is likely that the malware is being analyzed by an investigator, or in isolation in a custom sandbox environment. These techniques include searching for characteristic processes, Windows services, or machine names, as well as verifying network card MAC addresses or CPU features.
As reported by MalwareLab researcher Maciej Kotowicz, TrickBot analyzes the screen resolution on the infected system, which helps hackers determine if the malware is running in an isolated environment.
Although TrickBot began as a common banking Trojan, developers have included multiple features that make it one of the most dangerous malware variants nowadays. Among the features added to TrickBot are credentials stored in the browser theft, theft of databases in Active Directory, search of cookies, OpenSSH keys, among other malicious activities, as secure data erasure specialists mentioned.
In his investigation, Kotowicz mentions that a new sample detected from TrickBot is checking whether the screen resolution of the affected computer is 800×600 or 1024×768, and if so, TrickBot does not run.
The secure data erasure expert notes that these particular resolutions are very common in the configuration of most VM deployments.
In the configuration of these tools, researchers rarely install additional software to establish a higher screen resolution, in addition to modifying other functions (such as improved mouse management, network access, among others): “VirtualBox, for example, has a default resolution of 1024×768”, mentions Kotowicz. In other words, users using monitors with the above resolutions might be less prone to TrickBot infections, although it is worth mentioning that these are considered low quality resolutions, making daily work difficult.
For further reports on vulnerabilities, exploits, malware variants and computer security risks, it is recommended to enter the website of the International Institute of Cyber Security (IICS), as well as the official platforms of technology companies.
He is a well-known expert in mobile security and malware analysis. He studied Computer Science at NYU and started working as a cyber security analyst in 2003. He is actively working as an anti-malware expert. He also worked for security companies like Kaspersky Lab. His everyday job includes researching about new malware and cyber security incidents. Also he has deep level of knowledge in mobile security and mobile vulnerabilities.
