Trick 'Em - Part 6

Mateo Cruz leaned forward, the dim glow of his monitor highlighting the tension in his face. The TrickMo sample Peter had sent him was unpacked and sprawled across multiple screens. Strings of obfuscated code, hidden logic, and precisely engineered exploits stared back at him.

“I didn’t just help build this monster,” he thought grimly. “I gave it running shoes and directions.”

?He sighed, the memories of his past work with the malware creeping into his thoughts. TrickMo wasn’t just another banking trojan anymore, it was a culmination of everything he once helped design, taken to a level he never imagined.

“This isn’t the TrickMo I left behind,” Mateo muttered. He opened his notes and began dictating into his headset. “Peter, this new variant is more than just an update, it’s an overhaul. Let’s start with their use of JSONPacker.”

“Go on,” Peter’s voice came through the line.

Mateo typed as he spoke. “They’re using JSONPacker to compress and encode critical components of the malware into a single JSON object. But here’s the difference, it’s dynamically unpacked only at runtime, and only under specific conditions. That means the payload doesn’t exist in a static, detectable form during installation. It’s invisible until it activates.”

“How’s that different from other trojans?” Peter asked.

“It’s not just about staying hidden,” Mateo explained. “The payload is modular. JSONPacker lets them add or remove functionality on demand, tailoring the malware to specific targets. Combine that with their use of evasion techniques, like sandbox detection and timing delays, and you’ve got something that’s not just hard to analyze, it’s nearly impossible to predict.”

He switched screens, pulling up logs of TrickMo’s activity during testing. “Now, here’s where they’ve taken things to the next level: account takeovers and on-device fraud. Other trojans typically rely on remote servers to control the victim’s account. TrickMo doesn’t need to…it performs everything directly on the device. That’s what makes it so dangerous.”

Peter was quiet for a moment. “Walk me through it.”

Mateo sighed, pulling up a flowchart he’d sketched earlier. “The malware starts by enabling accessibility services, giving it full control over the device. Once it detects the user opening a banking app, it overlays the login screen with a near-perfect replica. The user thinks they’re logging in as usual, but TrickMo intercepts the credentials and sends them to the attackers in real time.”

“And the fraud?” Peter prompted.

“It happens instantly,” Mateo continued. “TrickMo maintains the session in the background. It intercepts OTPs, auto-approves transactions, and even alters app settings to bypass security prompts. The user has no idea it’s happening, they’re just locked into the illusion that everything is normal.”

“And all this is happening locally, on the device?”

“Exactly,” Mateo confirmed. “That’s the genius of it. By executing fraud directly on the victim’s device, TrickMo avoids triggering many of the red flags that banks use to detect remote access or suspicious activity. From the bank’s perspective, it looks like legitimate user behavior.”

Peter’s voice hardened. “What about the infrastructure? Anything we can target?”

Mateo opened another window, showing a network map of TrickMo’s communications. “They’re using fast-flux DNS for their command-and-control servers. Every time you block one, another one comes online. But here’s the twist, they’re leveraging infected devices as part of their infrastructure. Some of the compromised devices aren’t just victims, they’re acting as nodes to host the overlay templates and relay data.”

Peter groaned. “Decentralization. That makes it harder to take down.”

“Much harder,” Mateo agreed. “And the stolen data? It’s routed to IPFS nodes, where it’s replicated across a decentralized network. Once it’s uploaded, it’s virtually impossible to retrieve or delete. Credentials, transaction details, personal data, it’s all out there, permanently.”

Peter paused. “What’s the play, Mateo? How do we hit back?”

Mateo leaned back, considering the question. “Start by disrupting their fast-flux DNS. It won’t stop them entirely, but it’ll slow them down. Then target the devices acting as nodes, cutting off their ability to host the overlays will weaken their infrastructure. Finally, educate users about this threat. TrickMo’s reliance on social engineering is key to its success. If users recognize fake updates and avoid granting unnecessary permissions, it’ll cripple their infection rates.”

“And the compromised devices?”

Mateo hesitated. “There’s no easy fix. The safest move is to revoke trust for those devices entirely. Treat them as compromised and block their access to banking systems. It’ll inconvenience users, but it’s better than letting TrickMo continue unchecked.”

Peter’s voice softened. “Thanks, Mateo. I’ll loop you in on our next steps.”

“Is there anything else we should know?”

“Hello Mateo, are you there?” Peter called out anxiously two more times before the phone line disconnected.???

If you missed Part 1, Part 2, Part 3, Part 4 and Part 5 please catch up.

Did Mateo meet your expectations? Has he done enough to clean up a mess he helped create? If TrickMo is always one step ahead, do you think this battle is already lost? Is blocking compromised devices too extreme? Would you be okay with losing access to your banking app if your phone was flagged? Share your thoughts in the comment section.

Comment | Share | Repost

? 2025-2090 ByPassed. All rights reserved. You may share or link to content from ByPassed, but please provide proper attribution and do not modify the original content without permission.

#cybersecurity #Bypassed #truecrime