Malware Analysis of TrickBot, Gh0stRAT and DarkComet - Intezer

Intezer Analyze Community Halloween Edition: Trickbot or Treat!

Written by Shaul Holtzman

    Share article
    FacebookTwitterLinkedInRedditCopy Link

    Top Blogs

    In the spirit of Halloween we’re spotlighting three “spooky” threats detected by the Intezer Analyze community in October. And as a special treat, we’re giving away three code-based YARA signatures, made possible by our Genetic Malware Analysis technology, which can be used to hunt for additional variants of these threats!

    1) Trickbot [Link to Analysis]
    Trickbot is a common banking trojan which steals personal financial information, browser credentials, and other user data. The malware has been active since September 2016 and is believed by many to be the successor of Dyre—a similar banking trojan which infected major United States banks in 2014. Trickbot is typically dropped following a spear phishing attack via a document attachment. Once the attachment is opened, the malware infects the machine and establishes persistence. As part of this process, the threat also neutralizes security mechanisms like Windows Defender.

    In the Intezer Analyze analysis below we can see precisely how Trickbot unpacks and injects itself into a legitimate svchost.exe process. Once executed, Trickbot has over 25 capabilities in its arsenal which can be used to further the attack.


    2) Gh0stRAT [Link to Analysis]
    Gh0stRAT is a remote access tool which can take control of a remote machine to spy on user activity, steal information, upload tools, and more. The binary code of this RAT can be traced back to the GhostNet spying operations which were uncovered in 2009 by the independent research group, Information Warfare Monitor (IWM). These operations were likely perpetrated by the Chinese government and were found to infiltrate key locations in 103 different countries, including computer systems in embassies, government offices, and media organizations.

    Today, the source code of Gh0stRAT is available online, which means many threat groups use it to develop their own variants. The illustration below represents several Gh0stRAT samples that were uploaded to the Intezer Analyze community in October and which share code with one another:


    3) DarkComet [Link to Analysis]
    DarkComet is yet another remote access trojan (RAT). It was developed by an independent programmer who advertises DarkComet as an administration tool for legitimate use. However, the developer behind this tool acknowledges that it’s also being used by attackers for malicious purposes.

    DarkComet exhibits capabilities that you would typically expect from a RAT, such as taking screenshots, gaining access to a desktop user’s microphone and camera, retrieving files, controlling processes, and more. DarkComet also enables the attacker to meddle with its victims by hiding the start button and other icons, and it can even play music on the infected machine.

    By leveraging Intezer Analyze’s string reuse feature, it’s very easy to understand some of the capabilities this RAT has to offer:

    Shaul Holtzman

    Shaul is a Sr. Sales Engineer at Intezer. He has nearly 10 years of experience in cybersecurity technologies and methodologies. Shaul was responsible for developing cybersecurity training in the Israeli Defense Force (IDF) and later served as a cybersecurity analyst at Verint

    © 2022 All rights reserved
    Generic filters
    Exact matches only
    Search in title
    Search in content
    Search in excerpt
    CrowdStrike + Intezer: Automation for Alert Triage, Response, and HuntingCrowdStrike + Intezer: Automation for Alert Triage, Response, and Hunting Learn more