New Trickbot module implements Remote App Credential-Grabbing features

The Trickbot banking trojan continues to evolve, Trend Micro detected a new variant that includes a new module used for Remote App Credential-Grabbing.

The infamous Trickbot banking trojan is back, experts at Trend Micro detected a new strain of the malware using an updated info-stealing module.

The new strain of the Trickbot banking trojan that a
updated info-stealing module. llows it to harvest remote desktop application credentials.

The new variant is being spread via spam emails that pose as tax-incentive notification purporting to be from the financial services company Deloitte.

The spam messages come with a macro-enabled (XLSM) Microsoft Excel spreadsheet attachment that purportedly includes data related to the tax incentive. The embedded macro download and execute the Trickbot on the user’s machine.

Experts noticed three new functions implemented in the new password-grabbing module:

  • Virtual Network Computing (VNC) credential stealer ability;
  • PuTTY credential stealer ability;
  • Remote Desktop Protocol (RDP) credential stealer ability;

Trickbot relies on “pwgrab” module to capture the VNC credentials, including the target machine’s hostname, port and proxy settings. The module searches for files using the “*.vnc.lnk” affix that are located in a user’s folders for recent applications and downloads.

The module will send the stolen data via POST, which is configured through a downloaded configuration file using the filename ‘dpost.’” The file contains a list of command-and-control (C2) servers that will receive the exfiltrated data.

The new Trickbot variant is also able to steal PuTTY credentials, it queries the registry key (i.e., “Software\SimonTatham\Putty\Sessions”) to retrieve saved connection settings. Using the settings the module could retrieve an array of useful information, including host name, user name, and the private key files used for authentication.

The new Trickbot’s module is also able to steal RDP credentials by using the “CredEnumerateA” API to identify and saved credentials.

“Its third function related to RDP uses the CredEnumerateA API to identify and steal saved credentials. It then parses the string “target=TERMSRV” to identify the hostname, username, and password saved per RDP credential.” Trend Micro experts explained.

Trickbot also uses the encryption for the strings implemented via simple variants of XOR or SUB routines and also borrowed from the Carberp trojan source code the use of API hashes for indirect API calling.

“These new additions to the already “tricky” Trickbot show one strategy that many authors use to improve the capabilities of their creations: gradual evolution of existing malware.” concludes the analysis. “While this new variant is not groundbreaking in terms of what it can do, it proves that the groups or individuals behind Trickbot are not resting on their laurels and continuously improve it, making an already-dangerous malware even more effective.”

Pierluigi Paganini

FAIR USE NOTICE: Under the "fair use" act, another author may make limited use of the original author's work without asking permission. Pursuant to 17 U.S. Code § 107, certain uses of copyrighted material "for purposes such as criticism, comment, news reporting, teaching (including multiple copies for classroom use), scholarship, or research, is not an infringement of copyright." As a matter of policy, fair use is based on the belief that the public is entitled to freely use portions of copyrighted materials for purposes of commentary and criticism. The fair use privilege is perhaps the most significant limitation on a copyright owner's exclusive rights. Cyber Defense Media Group is a news reporting company, reporting cyber news, events, information and much more at no charge at our website Cyber Defense Magazine. All images and reporting are done exclusively under the Fair Use of the US copyright act.

Global InfoSec Awards 2021

We are in our 9th year, and these awards are incredibly well received – helping build buzz, customer awareness, sales and marketing growth opportunities, investment opportunities and so much more.

APPLY NOW