The screen-locking feature added to a popular banking trojan was never intended to be used for ransomware-like operations, researchers from Fortinet revealed on Monday.
The banking trojan in question is TrickBot, and the screenlocker component was first seen at the end of March by multiple security firms and independent researchers.
Initially, researchers believed the TrickBot authors were in the first phases of deploying a screen-locking component that would transform the malware into a dual threat —of banking trojan and ransomware combined.
At the time, there was no support for file encryption operations, and researchers believed this was because they caught an early version of this particular module, expecting newer versions to roll out in the following weeks.
Screenlocker module used for password theft
But with no new versions of this module being spotted in the wild, and after intensive analysis, Fortinet researchers revealed the screen-locking component has nothing to do with ransoming operations and instead is part of TrickBot's password-stealing exploitation chain.
Recent versions of the TrickBot banking trojan leverage the
Mimikatz password-dumping tool to steal WDigest credentials from a Windows computer's LSA memory, where they are stored in plaintext.
......
......
......