TrickBot variant steals credentials for remote computer access

silversurfer

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,057
The developers behind TrickBot have once again upgraded the information stealer’s malicious capabilities, this time creating a variant that swipes credentials for various remote access services.

In a Feb. 12 company blog post, Trend Micro researchers Noel Anthony Llimos and Carl Maverick Pascual report that the new version targets passwords for Virtual Network Computing (VCN), PuTTY, and Remote Desktop Protocol (RDP).

Detected as TrojanSpy.Win32.TRICKBOT.AZ and Trojan.Win32.MERETAM.ADnew, the new TrickBot was discovered this past January as part of a spam campaign that distributes emails disguised as tax incentive notifications from Deloitte. Attached to the emails are a malicious Microsoft Excel spreadsheet, featuring with a malicious macro that, upon activation, downloads the malicious payload.

Trend Micro says the malware is similar to a slightly older variant, spotted last November that uses a module called pwgrab to grab credentials from various browsers and communicate them the attackers’ server.

In addition to credentials, the new TrickBot can steal a VNC user’s machine hostname, port and proxy settings. From PuTTY users, meanwhile, the malware can grab hostnames, usernames and private key files used for authentication. And from RDP users, the variant can swipe hostnames, usernames and passwords saved per RDP credential.

“These new additions to the already ‘tricky’ Trickbot show one strategy that many authors use to improve the capabilities of their creations: gradual evolution of existing malware,” the blog post states. “While this new variant is not groundbreaking in terms of what it can do, it proves that the groups or individuals behind Trickbot are not resting on their laurels and continuously improve it, making an already-dangerous malware even more effective.”
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top