The notorious TrickBot trojan has evolved again, this time acquiring the ability to check the screen resolutions of victims to detect whether the malware is running on a virtual machine or on the actual device. Researchers typically analyze malware while running a virtual machine that is outfitted with different analysis tools, therefore, malware commonly adapts anti-VM techniques to determine if the malware is running on a virtual machine. Anti-VM software typically searches for Windows services, machine names, or particular processes that indicate whether the malware is running on a VM.
Cybersecurity firm MalwareLab acquired a new sample of the TrickBot trojan, determining the updates to the malware. TrickBot initially started as a banking trojan, however, it has evolved over time to perform a larger variety of malicious behavior, including spreading laterally through a network, stealing saved credentials in browsers, stealing cookies and OpenSSH keys, stealing Active Directory Services databases and more.
Read More: TrickBot malware now checks screen resolution to evade analysis