TrickBot malware now checks screen resolution to evade analysis

by chebbi abir

The infamous TrickBot trojan has started to check the screen resolutions of victims to detect whether the malware is running in a virtual machine.

When researchers analyze malware, they typically do it in a virtual machine that is configured with various analysis tools.

Due to this, malware commonly uses anti-VM techniques to detect whether the malware is running in a virtual machine. If it is, it is most likely being analyzed by a researcher or an automated sandbox system.

These anti-VM techniques include looking for particular processes, Windows services, or machine names, and even checking network card MAC addresses or CPU features.

TrickBot uses screen resolution as anti-VM checks

In a new sample of the TrickBot Trojan discovered by cybersecurity firm MalwareLab’s Maciej Kotowicz, the malware is now checking an infected computer’s screen resolution to determine if it’s a virtual machine.

Started as a banking Trojan, the TrickBot has evolved over time to perform a variety of malicious behavior.

This behavior includes spreading laterally through a network, stealing saved credentials in browsers, stealing Active Directory Services databases, stealing cookies and OpenSSH keys, stealing RDP, VNC, and PuTTY Credentials, and more.

In a tweet, Kotowicz stated that a new sample of TrickBot is checking if the computer’s screen resolution is 800×600 or 1024×768, and if it is, TrickBot will terminate.

Screen resolution check

TrickBot is checking for these particular resolutions because of how the researchers commonly configure their malware analysis virtual machines.

When configuring a virtual machine, most researchers will not install the VM guest software that allows for better screen resolutions, better mouse control, improved networking, and other features.


The software is not installed as malware commonly checks for files, registry keys, and processes used by the virtual machine guest software.

Without the guest software, though, a virtual machine will typically not allow any resolutions other than 800×600 and 1024×768, compared to ordinary screen resolutions that are much higher.

Knowing this, the TrickBot developers are using these screen resolution checks as another anti-VM check.

The good news is that if you are using these resolutions, you are safe from TrickBot. The bad news is that you are using these resolutions.

To read the original article:


Interdit de copier  ce contenu