Infamous Trickbot Trojan Is Now Capable of Stealing Credentials from Web Browsers Too
In a little over two years, Trickbot has been transformed from a newcomer to an established name in the online threat landscape. For some reason, many people continue to classify it as a banking trojan, but those who have actually analyzed it in details know that it's a bit more than that.
Trickbot is a modular, highly customizable malware family
First analyzed in October 2016, Trickbot is thought to be the work of the same cybercriminals who created Cutwail, Vawtrak, and Pushdo. When it emerged on the scene, it was a fairly simple threat with a limited number of targeted financial institutions. An update arrived about a month later, however, and experts quickly realized that they have a serious piece of malware on their hands. Within mere weeks of releasing the first version, Trickbot's authors had already managed to include both redirection and server-side web injection mechanisms into their trojan. Trickbot might not have been the first banking malware to use the two techniques, but it was the first to do it so soon after its debut. The gang had more than a few other tricks up their sleeves.
Even in the first version, the security researchers saw that Trickbot's design allows for the easy addition of modules that could diversify its criminal activities. In the summer of 2017, the crooks implemented a component that stole login credentials not only for banking accounts, but for customer relationship management systems as well, and shortly after, they added many new entries to the list of targeted financial institutions. The Trickbot gang were now harassing users in close to twenty countries.
In July 2017, they added a worm module that took advantage of the now-infamous SMB protocol to spread around the network, and over the next few months, they experimented with a few different components like, for example, a screen locker module which has thankfully remained disabled. Now, we have a new version with yet more functionality.
Trickbot scrapes data from browsers and other apps
Last month, researchers from Trend Micro and Fortinet noticed a few Trickbot samples flying around.
As is often the case, they were distributed with the help of spam emails. To lure the victims into opening the attachment, the crooks named the file "Sep_report.xls," and what followed was the typical "enable macros to view content" scenario.
After distribution, the code then downloaded and ran the Trickbot trojan, but when they took a closer look, the experts saw a module they hadn't seen before. It came in the form of a 1MB file called "pwgrab32". Its name gives some of its functionality away – stealing passwords.
When they took a closer look at the new module, the experts saw that it can attack most major browsers. It steals not only login credentials, but also autofill data (which, in modern browsers, can include credit card details and other sensitive information) from Google Chrome, Mozilla Firefox, and Internet Explorer. There was also a mechanism for exfiltrating data from Microsoft Edge, but it was disabled when Fortinet and Trend Micro looked at it. In its place, Trickbot's authors had placed a component scraping login credentials from Microsoft's email client, Outlook, as well as a couple of FTP clients – FileZilla, and WinSCP.
We have discussed why saving login credentials and other data in the browser isn't such a good idea, and Trickbot's new functionality illustrates the point rather well. For years, experts have advocated the use of stand-alone password management tools like Cyclonis Password Manager, and you might want to start thinking about heeding their advice.
Even with a password manager, however, Trickbot is still a threat to be reckoned with, and the new update shows that the crooks have no intention of retiring it any time soon.
