Researchers at Huntress Labs have reported that the latest version of TrickBot takes advantage of the Windows command line interpreter to slip past the newest version of their malware past automated detection tools.
John Hammond, a senior security researcher at Huntress, said, “The authors of Trickbot use a batch script to break up their payload into numerous small chunks and then use the command line interpreter to rebuild the original payload.”
“This technique isn’t specific to Trickbot. Any other code or malware sample can do this within Windows batch scripting. But this is the first time Huntress has observed a threat actor using this exact obfuscation technique”, Hammond says.