Password grabber: Updated Trickbot malware steals OpenSSH and OpenVPN keys

News by Rene Millman

Security researchers have discovered an updated form of the Trickbot malware that has been changed to steal OpenSSH private keys and OpenVPN passwords and config data.

Security researchers have discovered an updated form of the Trickbot malware that has been changed to steal OpenSSH private keys and OpenVPN passwords and config data.

The malware was first observed in October 2016 and all the while has been adding new, more dangerous features.  According to researchers at Palo Alto Networks, one of Trickbot’s modules is a password grabber. This code  obtains login credentials from other applications installed on a victim’s host. It then sends stolen data using unencrypted HTTP over TCP port 8082 to an IP address used by Trickbot.

The latest update resulted in researchers observing two new HTTP POST requests caused by the password grabber. They are identified as OpenSSH private keys and OpenVPN passwords and configsls.

Researchers added that these updates may not be fully functional.

"HTTP POST requests caused by the password grabber for OpenSSH and OpenVPN occur whether or not the victim’s host has OpenSSH or OpenVPN installed. And we have not seen this traffic contain any actual data," said researchers.

"We generated Trickbot infections in lab environments for both Windows 7 and Windows 10 hosts with configured OpenSSH and OpenVPN applications. However, we have not seen any working results."

They added that HTTP POST requests generated by the password grabber for OpenSSH and OpenVPN during these infections contained no data.

While the updates don’t appear to work, Trickbot’s password grabber will grab sensitive data such as private keys from SSH-related applications like PuTTY. Researchers advised organisations to patch up Windows to hinder infections. 

Kevin Bocek, VP of security strategy & threat intelligence at Venafi, told SC Media UK that these findings show that hackers are wising up to a hidden gem: the fact that SSH machine identities give them master control over businesses’ sensitive information. 

"Those behind the latest Trickbot malware know that while security teams have spent billions on password protection and management, there’s little awareness about SSH keys and their dangers. SSH keys automate and have control over systems in the datacentre and the cloud. Stealing them gives hackers control and gives them the power to create long term back doors since SSH keys don’t expire and most organisations – even those with sophisticated defences – never change them," he said.

Javvad Malik, security awareness advocate at KnowBe4, told SC Media UK that many organised criminals and nation states put considerable effort into their malware. 

"Much of it is custom developed and we've seen many which are maintained for longer periods of time with extra functionality added frequently as is the case with Trickbot," he said.

"The best thing organisations can do to defend against such malware is to protect against them getting into the company in the first place. This is typically through patching public-facing systems, training users to identify and not fall victim to spearphishing attacks, and ensuring MFA and strong passwords are enabled. For when a compromise does occur, organisations should have threat detection controls in place that can identify and alert on suspicious activity."

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews