- Jul 27, 2015
Cyberattackers are targeting 60 different high-profile companies with the TrickBot malware, researchers have warned, with many of those in the U.S. The goal is to attack those companies’ customers, according to Check Point Research (CPR), which are being cherry-picked for victimization. According to a Wednesday CPR writeup, TrickBot is targeting well-known brands that include Amazon, American Express, JPMorgan Chase, Microsoft, Navy Federal Credit Union, PayPal, RBC, Yahoo and others.
The TrickBot malware was originally a banking trojan, but it has evolved well beyond those humble beginnings to become a wide-ranging credential-stealer and initial-access threat, often responsible for fetching second-stage binaries such as ransomware. Since the well-publicized law-enforcement takedown of its infrastructure in October 2020, the threat has clawed its way back, now sporting more than 20 different modules that can be downloaded and executed on demand. It typically spreads via emails, though the latest campaign adds self-propagation via the EternalRomance vulnerability.
The version of TrickBot that CPR found being used in the current campaign sports three freshened-up modules of note, researchers said:
TrickBot’s ‘tabDLL’ ModuleThe second new development is a dynamic link library (DLL), also used to grab user credentials. Its ultimate goal is to spread the malware via network shares, researchers noted. tabDLL uses a multi-step process, as CPR laid out. In sequence, the module does the following:
- Enable the storing of user credential information in the LSASS application;
- Inject the “Locker” module into the legitimate explorer.exe application;
- From the infected explorer.exe, force the user to enter login credentials to the application, then lock the user’s session;
- Store the credentials in the LSASS application memory;
- Grab the credentials from the LSASS application memory using Mimikatz, which is an open-source tool for extracting data from an application’s memory;
- Report credentials to the C2;
- And, use the EternalRomance exploit to spread to other targets inside the network via SMBv1 network shares.
TrickBot’s ‘pwgrabc’ ModuleThe pwgrabc module, as its name suggests, is a catch-all credential stealer for various applications.
The targeted applications are as follows: AnyConnect ; Chrome ; ChromeBeta ; Edge ; EdgeBeta ; Filezilla ; Firefox ; Git ; Internet Explorer ; KeePass ; OpenSSH ; OpenVPN ; Outlook ; Precious ; Putty ; RDCMan ; RDP ; TeamViewer ; VNC ; and WinSCP.
The resurgent trojan has targeted 60 top companies to harvest credentials for a wide range of applications, with an eye to virulent follow-on attacks.