TrickBot malware now checks screen resolution to evade analysis
The notorious TrickBot trojan has evolved again, this time acquiring the ability to check the screen resolutions of victims to detect whether the malware is running on a virtual machine or on the actual device. Researchers typically analyze malware while running a virtual machine that is outfitted with different analysis tools, therefore, malware commonly adapts anti-VM techniques to determine if the malware is running on a virtual machine. Anti-VM software typically searches for Windows services, machine names, or particular processes that indicate whether the malware is running on a VM.
Cybersecurity firm MalwareLab acquired a new sample of the TrickBot trojan, determining the updates to the malware. TrickBot initially started as a banking trojan, however, it has evolved over time to perform a larger variety of malicious behavior, including spreading laterally through a network, stealing saved credentials in browsers, stealing cookies and OpenSSH keys, stealing Active Directory Services databases and more.