Trickbot is a modular malware which was first observed in 2016 and it steals system information, login credentials and other sensitive data from vulnerable Windows machines.
However, in November, security researchers from Palo Alto Networks began to see indicators that Trickbots' password grabber module had begun to target data from OpenSSH and OpenVPN applications.
When a Windows host is infected with Trickbot, it downloads different modules to perform various functions. The modules themselves are stored as encrypted binaries in a folder located in the infected system's AppDataRoaming directory and they are then decoded as DLL files that run from system memory.
- Bromium uncovers US-based malware distribution center
- These were the worst malware strains of 2019
- Also check out the best free anti-malware software
Pwgrab64 is a password grabber used by Trickbot and this module retrieves login credentials stored in a victim's browser cache but it can also obtain login credentials from other applications installed on a victim's host.
Targeting OpenSSH and OpenVPN
Traffic patterns from recent Trickbot infections were fairly consistent until November when Palo Alto Networks started seeing two new HTTP POST requests for OpenSSH private keys and OpenVPN passwords and configs caused by the malware's password grabber.
Thankfully these updates to Trickbot's password grabber module may not be fully functional yet as the researchers did not see any actual data from OpenVPN contained in the traffic coming from the malware. They also set up Trickbot infections in lab environments where HTTP POST requests generated by the password grabber for OpenSSH and OpenVPN contained no data.
However, Trickbot's password grabber does indeed work and will still obtain SSH passwords and private keys from an SSH/Telnet client named PuTTY.
The updated traffic patterns discovered by Palo Alto Networks show that Trickbot continues to evolve but users can avoid falling victim to this malware by running fully-patched and up-to-date versions of Microsoft Windows.
- Also check out our complete list of the best VPN services
No comments yet.