The Trickbot banking Trojan is not a new malware, but researchers have discovered a new variant recently that gives blue team security personnel something to watch out for. The banking Trojan has morphed so that it attacks remote application credentials. This is effectively an update on a November 2018 variant that established a password-grabbing module within the malware.
Noel Anthony Llimos and Carl Maverick Pascual, researchers at Trend Micro, published their findings in a blog post that delves into Trickbot’s newest abilities. Below you can find quotes of some of the biggest takeaways from their research post:
This Trickbot variant is largely similar to the variant we discovered in November. However, the 2019 version adds three new functions, one each for the Virtual Network Computing (VNC), PuTTY, and Remote Desktop Protocol (RDP) platforms...
To grab VNC credentials, the pwgrab module searches for files using the “*.vnc.lnk” affix that are located in the following directories:
- %USERPROFILE%\Documents, %USERPROFILE%\Downloads
The stolen information includes the target machine’s hostname, port, and the proxy settings.
To retrieve the PuTTY credentials, it queries the registry key Software\SimonTatham\Putty\Sessionsto identify the saved connection settings, which allows the module to retrieve information such as the Hostname and Username, and Private Key Files used for authentication.
Its third function related to RDP uses the CredEnumerateA API to identify and steal saved credentials. It then parses the string “target=TERMSRV” to identify the hostname, username, and password saved per RDP credential.
The researchers surmise that this will not be the last time that Trickbot will be updated, but they do want people to be aware of this current variant. Since Trickbot finds itself used most prominently among spam email campaigns, Llimos and Pascual recommend being on top of all different types of spam campaigns in order to not fall prey to them. The Trend Micro team also recommends having a robust arsenal of malware detection and removal software in order to mitigate any damage caused by infection should it occur.
Featured image: Wikimedia / Santeri Viinamäki