Several malware strains including TrickBot, REvil, Emotet, Agent Tesla, FormBook, Maze, and Cerber have been distributed using the shellcode-based packer-as-a-service TrickGate, which has been operating stealthily for more than six years, according to The Hacker News.
Periodic changes have enabled TrickGate, which allows payload obfuscation through a wrapper code layer, to elude detection since at least late 2016, a report from Check Point Research showed. Such changes involved TrickGate being tracked as the Loncom loader and NSIS-based crypter in 2019.
However, "the injection module has been the most consistent part over the years and has been observed in all TrickGate shellcodes," said Check Point researcher Arie Olshtein.
The report also showed that manufacturing was most targeted by threat actors leveraging TrickGate, followed by the education, healthcare, government, and finance sectors. Moreover, FormBook, LokiBot, Agent Tesla, Remcos, and Nanocore were the leading malware families using the packer in their attacks over the last two months.
