TrickGate, a malicious live software service, has been deployed by threat actors in recent attacks to bypass endpoint detection. The malware is not new, and has been deployed against detection measures and response protection software for six years. Check Point Research recently released a report detailing TrickGate and its usage by groups such as Emotet, REvil, Maze, and other malicious groups.
Check Point Research stated that in the past two years, threat actors leveraged TrickGate in a large number of attacks per week, sometimes as many as 650 instances. Victims targeted by this specific malware operate mainly in the manufacturing sector, but Check Point also found victims in the education, healthcare, finance, and business industries. The attacks did not target one specific region, however, the highest volume of attacks targeted organizations in Taiwan and Turkey. TrickGate has evolved over the years, however, the main components in its shellcode have remained the same.