The developers behind TrickBot have once again upgraded the information stealer’s malicious capabilities, this time creating a variant that swipes credentials for various remote access services.
In a 12 February company blog post, Trend Micro researchers Noel Anthony Llimos and Carl Maverick Pascual report that the new version targets passwords for Virtual Network Computing (VCN), PuTTY and Remote Desktop Protocol (RDP).
Detected as TrojanSpy.Win32.TRICKBOT.AZ and Trojan.Win32.MERETAM.ADnew, the new TrickBot was discovered in January as part of a spam campaign that distributes emails disguised as tax incentive notifications from Deloitte. Attached to the emails are a malicious Microsoft Excel spreadsheet, featuring a malicious macro that, upon activation, downloads the payload.
Trend Micro says the malware is similar to a slightly older variant, spotted in November, that uses a module called pwgrab to snag credentials from various browsers and communicate them to the attacker’s server (an in-depth look at this previous version can be found here).
In addition to credentials, the new TrickBot can steal a VNC user’s machine hostname and port and proxy settings. From PuTTY users, the malware can grab hostnames, usernames and private key files used for authentication. And from RDP users, the variant can swipe hostnames, usernames and passwords saved per RDP credential.
"These new additions to the already ‘tricky’ TrickBot show one strategy that many authors use to improve the capabilities of their creations: gradual evolution of existing malware," the blog post states. "While this new variant is not groundbreaking in terms of what it can do, it proves that the groups or individuals behind TrickBot are not resting on their laurels and continuously improve it, making an already-dangerous malware even more effective."
This article was originally published on SC Media US.