A malicious live software service named TrickGate has been used by threat actors to bypass endpoint detection and response (EDR) protection software for over six years.
The findings come from Check Point Research (CPR), who shared them with Infosecurity earlier today. Described in a new advisory, the research also suggests that several threat actors from groups such as Emotet, REvil, Maze and more exploited the service to deploy malware.
More specifically, CPR estimated that, throughout the last two years, threat actors conducted between 40 and 650 attacks per week using TrickGate. Victims were located mainly in the manufacturing sector but also in education, healthcare, finance and business enterprises.
“The attacks are distributed all over the world, with an increased concentration in Taiwan and Turkey,” CPR wrote. “The most popular malware family used in the last two months is Formbook, marking 42% of the total tracked distribution.”
According to CPR, TrickGate managed to stay under the radar for years due to its transformative property of undergoing periodic changes.
“While the packer’s wrapper changed over time, the main building blocks within TrickGate shellcode are still in use today,” reads the advisory.