The team behind Trickbot has been aggressively updating and deploying various modules including Anchor and Bazar Loader targeting high-value targets, including healthcare entities
Posts Written ByJason Reaves
Enter the Maze: Demystifying an Affiliate Involved in Maze (SNOW)
SentinelLabs profiles an affiliate involved with Maze ransomware and details the actor’s involvement with other crimeware families, including TrickBot.
Breaking EvilQuest | Reversing A Custom macOS Ransomware File Encryption Routine
A new macOS ransomware threat uses a custom file encryption routine not based on public key encryption. Jason Reaves shows how we broke it.
Sarwent Malware Continues to Evolve With Updated Command Functions
Sarwent has received little attention from researchers, but this backdoor malware is still being actively developed, with new commands and a focus on RDP.
Deep Dive Into TrickBot Executor Module “mexec”: Reversing the Dropper Variant
Continuing our earlier analysis of the TrickBot Executor Module “mexec”, we take a look at the dropper variant and reveal how it carries its payload onboard.
Deep Dive Into TrickBot Executor Module “mexec”: Hidden “Anchor” Bot Nexus Operations
New “mexec” module delivers tertiary malware and allows TrickBot to pivot within a network, deploy a variety of payloads and evade common detection methods.
Breaking TA505’s Crypter with an SMT Solver
TA505 threat group use a crypter common to Clop/CryptoMix ransomware and others. We tear it down with a new unpacker utilizing SMT.
Revealing the Trick | A Deep Dive into TrickLoader Obfuscation
TrickBot’s loader has received much less attention than other components of the malware. Jason Reaves shows how to reverse engineer the TrickLoader function.