The TrickBot malware group has been preventing security software detection by leveraging a new approach in checking a victim system's screen resolution, reports BleepingComputer.
While TrickBot has included a malware feature that stopped the infection chain in devices using non-standard screen resolutions 1024x768 and 800x600, indicative of virtual machines, last year, the group has been found to insert the verification code to malspam campaign emails sent to possible victims, according to a report from Cryptolaemus security research group threat hunter and member TheAnalyst.
TheAnalyst noted differences in the behavior of the HTML attachment in real and virtual machines, with the attachment prompting a malicious ZIP archive download on physical systems but redirecting to the website of the American Broadcasting Company on virtual systems.
Such HTML smuggling technique has already been reported by MalwareHunterTeam in March, who discovered a phishing kit that featured code for screen resolution checking. MalwareHunterTeam has already discovered several other phishing campaigns using the technique.