One of the financial sector’s most enduring nemeses is back at it again. According to recent reports, the infamous TrickBot banking Trojan is making a major return and bankers should be aware. It now operates as a new type which has the ability to grab credentials remotely through a dedicated module.
The TrickBot’s updated data-grabbing mode is what enables it to harvest private credentials and data from a remote desktop. Hackers are using spam emails to spread this latest strain in what’s possibly the oldest scam in the digital data-grabbing book.
Users are warned to look out for one email in particular, which the scammers are using as a front to spread the virus. The email appears to come from Deloitte, a well-known financial services company, and at face value, it looks like a regular tax-incentive notification.
The catch is that the email comes with an attachment that users must open to view the tax incentive information at length. Once opened, this Microsoft Excel spreadsheet automatically activates the TrickBot on your device.
How It Works
- First, you receive an email with a subject line that insinuates you’re eligible for a tax incentive.
- Once you click on the Excel spreadsheet attachment, the malicious macro is activated
- The macro triggers the TrickBot
- The module steals your private credentials (usernames and passwords) as well as confidential data from various apps.
- The module takes your information and distributes it to several C&C servers.
According to experts, the latest TrickBot module has a number of new functions, such as:
- The ability to steal PuTTY credentials
- The ability to steal Virtual Network Computing (VNC) credentials
- The ability to steal Remote Desktop Protocol (RDP) credentials
Using a “pwgrab” module, the TrickBot hijacks users’ VNC credentials in an unprecedented way. This includes targeting your device’s proxy settings, port, and hostname. This sophisticated module does this by hiding behind a *.vnc.lnk” affix when searching for files in your folders. That way, it can access recent downloads and application login credentials undetected.
Thereafter, the TrickBot transfers the stolen data through POST, which is arranged according to a ‘dpost’ filename that contains all the servers set to receive the data.
By querying the registry key, the TrickBot grabs PuTTY credentials in stealth mode. This allows it to retrieve a number of important details like your username, private authentication key files and your hostname without detection. This is in addition to identifying and grabbing your RDP credentials through the “CredEnumerateA” API.
It doesn’t end there, however, as the TrickBot tirade continues by stealing your saved credentials using the CredEnumerateA API. By combing through the “target=TERMSRV” string, it can also steal your RDP credentials easily.
It also uses simple variants of XOR or SUB routines to create a string encryption that allows it to perform indirect API calling.
What we can learn with the stronger resurgence of the Trickbot malware is that the authors behind it are dedicated to improving upon their creation. They’re working tirelessly to make their malware even more effective and lethal.