Threat Management, Malware

TrickBot variant steals credentials for remote computer access

The developers behind TrickBot have once again upgraded the information stealer's malicious capabilities, this time creating a variant that swipes credentials for various remote access services.

In a Feb. 12 company blog post, Trend Micro researchers Noel Anthony Llimos and Carl Maverick Pascual report that the new version targets passwords for Virtual Network Computing (VCN), PuTTY, and Remote Desktop Protocol (RDP).

Detected as TrojanSpy.Win32.TRICKBOT.AZ and Trojan.Win32.MERETAM.ADnew, the new TrickBot was discovered this past January as part of a spam campaign that distributes emails disguised as tax incentive notifications from Deloitte. Attached to the emails are a malicious Microsoft Excel spreadsheet, featuring with a malicious macro that, upon activation, downloads the malicious payload.

Trend Micro says the malware is similar to a slightly older variant, spotted last November that uses a module called pwgrab to grab credentials from various browsers and communicate them the attackers' server. (An in-depth look at this previous version can be found here.)

In addition to credentials, the new TrickBot can steal a VNC user's machine hostname, port and proxy settings. From PuTTY users, meanwhile, the malware can grab hostnames, usernames and private key files used for authentication. And from RDP users, the variant can swipe hostnames, usernames and passwords saved per RDP credential.

"These new additions to the already 'tricky' Trickbot show one strategy that many authors use to improve the capabilities of their creations: gradual evolution of existing malware," the blog post states. "While this new variant is not groundbreaking in terms of what it can do, it proves that the groups or individuals behind Trickbot are not resting on their laurels and continuously improve it, making an already-dangerous malware even more effective."

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.