In an effort to bypass security software using AI and machine learning to detect malware, cybercriminals have begun to add text from news articles about the coronavirus to the TrickBot and Emotet Trojans.
Before distributing malware in phishing campaigns and other cyberattacks, developers often use a program called a “crypter’ to obfuscate the malicious code. Cybercriminals often do this in an attempt to bypass users’ antivirus software.
This technique has proven to be particularly effective against security software that uses machine learning or AI to detect malicious programs.
Leveraging the coronavirus
Back in January, it was discovered that crypters for both the TrickBot and Emotet Trojans were using text from news stories about President Trump’s impeachment.
However, BleepingComputer recently discovered that the crypters for these two Trojans have switched to using coronavirus-related news stories. For example, TrickBot samples were found to utilize strings taken from CNN news stories as part of the malware’s file description. Additionally, the news outlet also saw an Emotet sample that uses strings from another CNN news story for its file information.
Currently, it is not yet known if using these strings has any benefit to the cybercriminals behind these two Trojans but in an email, Head of SentinelLabs, Vitali Kremez explained to BleepingComputer that the technique could help cybercriminals bypass antivirus software, saying:
“By and large, the Coronavirus strings being used by the malware crypter generator deploy public news content as a methodology to frustrate certain machine learning static file parser methodologies. This “goodware” string addition technique allows the criminal crypter operators to create crypted binaries that might allow bypasses of AI/ML engines of certain anti-virus products as it was proved in the Cylance bypass method.”