TrickBot Ravages Customers of Amazon, PayPal and Other Top Brands


Thread author
Staff member
Malware Hunter
Jul 27, 2015
Cyberattackers are targeting 60 different high-profile companies with the TrickBot malware, researchers have warned, with many of those in the U.S. The goal is to attack those companies’ customers, according to Check Point Research (CPR), which are being cherry-picked for victimization. According to a Wednesday CPR writeup, TrickBot is targeting well-known brands that include Amazon, American Express, JPMorgan Chase, Microsoft, Navy Federal Credit Union, PayPal, RBC, Yahoo and others.
The TrickBot malware was originally a banking trojan, but it has evolved well beyond those humble beginnings to become a wide-ranging credential-stealer and initial-access threat, often responsible for fetching second-stage binaries such as ransomware. Since the well-publicized law-enforcement takedown of its infrastructure in October 2020, the threat has clawed its way back, now sporting more than 20 different modules that can be downloaded and executed on demand. It typically spreads via emails, though the latest campaign adds self-propagation via the EternalRomance vulnerability.
The version of TrickBot that CPR found being used in the current campaign sports three freshened-up modules of note, researchers said:
  • injectDll
  • tabDll
  • pwgrabc

TrickBot’s ‘injectDll’: A Web-Injects Module

Web injects are well-known from the banking-trojan world; they are used to present targets with overlaid facsimiles of real banking log-in sites; when a victim tries to sign on, they steal the credential data, and can pave the way for drained bank accounts and fraudulent wire transfers down the road. This particular module has added a web-injects format from the infamous Zeus banking trojan, researchers said, which collects information from login actions on targeted sites and sends it to a command-and-control server (C2). “The injectDll module performs browser data injection, including JavaScript which targets customers of 60 high-profile companies,” according to the writeup. “Add Trickbot’s cherry-picking of victims, and the menace becomes even more dangerous.”

On the anti-analysis front, the payload injected into the banking site’s page is minified (making the code size smaller makes the code unreadable), obfuscated and contains anti-deobfuscation techniques, researchers said. The final payload, which contains the actual code that grabs the victim’s keystrokes and web form submit actions, is also minified and obfuscated and contains a few layers of anti-deobfuscation techniques, they said. “Usually a researcher tries to analyze minified and obfuscated JavaScript code using tools like JavaScript Beautifiers, deobfuscators like de4js, and so on,” they explained. “After we applied these tools, we noticed that although the code became more readable, it also stopped working.”

TrickBot’s ‘tabDLL’ Module

The second new development is a dynamic link library (DLL), also used to grab user credentials. Its ultimate goal is to spread the malware via network shares, researchers noted. tabDLL uses a multi-step process, as CPR laid out. In sequence, the module does the following:
  1. Enable the storing of user credential information in the LSASS application;
  2. Inject the “Locker” module into the legitimate explorer.exe application;
  3. From the infected explorer.exe, force the user to enter login credentials to the application, then lock the user’s session;
  4. Store the credentials in the LSASS application memory;
  5. Grab the credentials from the LSASS application memory using Mimikatz, which is an open-source tool for extracting data from an application’s memory;
  6. Report credentials to the C2;
  7. And, use the EternalRomance exploit to spread to other targets inside the network via SMBv1 network shares.

TrickBot’s ‘pwgrabc’ Module

The pwgrabc module, as its name suggests, is a catch-all credential stealer for various applications.

The targeted applications are as follows: AnyConnect ; Chrome ; ChromeBeta ; Edge ; EdgeBeta ; Filezilla ; Firefox ; Git ; Internet Explorer ; KeePass ; OpenSSH ; OpenVPN ; Outlook ; Precious ; Putty ; RDCMan ; RDP ; TeamViewer ; VNC ; and WinSCP.