New Trickbot module implements Remote App Credential-Grabbing features

The Trickbot banking trojan continues to evolve, Trend Micro detected a new variant that includes a new module used for Remote App Credential-Grabbing.

The infamous Trickbot banking trojan is back, experts at Trend Micro detected a new strain of the malware using an updated info-stealing module.

The new strain of the Trickbot banking trojan that a
updated info-stealing module. llows it to harvest remote desktop application credentials.

The new variant is being spread via spam emails that pose as tax-incentive notification purporting to be from the financial services company Deloitte.

The spam messages come with a macro-enabled (XLSM) Microsoft Excel spreadsheet attachment that purportedly includes data related to the tax incentive. The embedded macro download and execute the Trickbot on the user’s machine.

Experts noticed three new functions implemented in the new password-grabbing module:

• Virtual Network Computing (VNC) credential stealer ability;
• PuTTY credential stealer ability;
• Remote Desktop Protocol (RDP) credential stealer ability;

Trickbot relies on “pwgrab” module to capture the VNC credentials, including the target machine’s hostname, port and proxy settings. The module searches for files using the “*.vnc.lnk” affix that are located in a user’s folders for recent applications and downloads.

The module will send the stolen data via POST, which is configured through a downloaded configuration file using the filename ‘dpost.’” The file contains a list of command-and-control (C2) servers that will receive the exfiltrated data.

The new Trickbot variant is also able to steal PuTTY credentials, it queries the registry key (i.e., “Software\SimonTatham\Putty\Sessions”) to retrieve saved connection settings. Using the settings the module could retrieve an array of useful information, including host name, user name, and the private key files used for authentication.

The new Trickbot’s module is also able to steal RDP credentials by using the “CredEnumerateA” API to identify and saved credentials.

“Its third function related to RDP uses the CredEnumerateA API to identify and steal saved credentials. It then parses the string “target=TERMSRV” to identify the hostname, username, and password saved per RDP credential.” Trend Micro experts explained.

Trickbot also uses the encryption for the strings implemented via simple variants of XOR or SUB routines and also borrowed from the Carberp trojan source code the use of API hashes for indirect API calling.

“These new additions to the already “tricky” Trickbot show one strategy that many authors use to improve the capabilities of their creations: gradual evolution of existing malware.” concludes the analysis. “While this new variant is not groundbreaking in terms of what it can do, it proves that the groups or individuals behind Trickbot are not resting on their laurels and continuously improve it, making an already-dangerous malware even more effective.”

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Trickbot malware, hacking)

[adrotate banner="5"]

[adrotate banner=”13″]