The developers behind TrickBot have once again upgraded the information stealer’s malicious capabilities, this time creating a variant that swipes credentials for various remote access services.
In a Feb. 12 company blog post, Trend Micro researchers Noel Anthony Llimos and Carl Maverick Pascual report that the new version targets passwords for Virtual Network Computing (VCN), PuTTY, and Remote Desktop Protocol (RDP).
Detected as TrojanSpy.Win32.TRICKBOT.AZ and Trojan.Win32.MERETAM.ADnew, the new TrickBot was discovered this past January as part of a spam campaign that distributes emails disguised as tax incentive notifications from Deloitte. Attached to the emails are a malicious Microsoft Excel spreadsheet, featuring with a malicious macro that, upon activation, downloads the malicious payload.
Trend Micro says the malware is similar to a slightly older variant, spotted last November that uses a module called pwgrab to grab credentials from various browsers and communicate them the attackers’ server. (An in-depth look at this previous version can be found here.)
In addition to credentials, the new TrickBot can steal a VNC user’s machine hostname, port and proxy settings. From PuTTY users, meanwhile, the malware can grab hostnames, usernames and private key files used for authentication. And from RDP users, the variant can swipe hostnames, usernames and passwords saved per RDP credential.
“These new additions to the already ‘tricky’ Trickbot show one strategy that many authors use to improve the capabilities of their creations: gradual evolution of existing malware,” the blog post states. “While this new variant is not groundbreaking in terms of what it can do, it proves that the groups or individuals behind Trickbot are not resting on their laurels and continuously improve it, making an already-dangerous malware even more effective.”