TrickGate is a shellcode-based packer that has been operating successfully and undetected for over six years.
It is offered as a service to other threat actors to help hide malware payloads behind a layer of wrapper code and bypass security solutions installed on a target host.
According to Check Point Research, TrickGate has primarily targeted the manufacturing sector, with lesser attacks in the education, healthcare, government and financial sectors. The most common malware used in the attacks are FormBook, LokiBot, Agent Tesla, Remcos and Nanocore,
with significant concentrations reported in Taiwan, Turkey, Germany, Russia and China.
The infection chain starts with phishing emails with malicious attachments or links that lead to the download of a shellcode loader, which then decrypts and launches the actual payload in memory.
The shellcode has been updated over the years, but the injection module is the most consistent part and has been observed in all TrickGate shellcodes.
Indicator of Compromise