Trickbot Appears to Target OpenSSH and OpenVPN Data in Upgraded Password-Grabbing Module

Trickbot first arrived on the scene in 2016, its initial iteration being a banking trojan that infected computers to steal email passwords and address books to spread malicious emails from compromised accounts. A few years and multiple transformations later, what was a simple banking trojan has since mutated into a constantly evolving malware family that includes information theft, vulnerability exploitation, and rapid propagation among its capabilities.

[Read: The latest Trickbot campaign uses an obfuscated JavaScript file]

One of the more notable functions of Trickbot is a password-grabbing module (pwgrab) Trend Micro researchers found last year, with the initial version of the module designed to steal credentials from various applications and web browsers. In February, they found that the malware’s authors had launched a variant with an upgraded password module, allowing it to retrieve credentials from remote networking tools such Virtual Network Computing (VNC), PuTTY, and Remote Desktop Protocol (RDP) platforms.

Recently, researchers from Palo Alto’s Unit 42 discovered that the module has evolved a third time after discovering that Trickbot, which had showed consistent traffic patterns, suddenly sent HTTP POST requests from the pwgrab module. A closer look revealed that these were requests for private keys, passwords, and configuration files sourced from the networking utilities OpenSSH and OpenVPN. 

One caveat to the findings is that despite these requests being sent to command-and-control (C&C) servers, no data was found to actually have been exfiltrated. In addition, the researchers who discovered the requests also tested the malware variant in a lab environment and likewise found that the generated requests did not contain any actual data. This indicates that this feature of the module is under development or still being tested.

Trend Micro Solutions 

The difficulty with combating a threat like Trickbot is that over time, even small but constant changes can morph it into something entirely unrecognizable. For example, a security researcher analyzing the banking trojan as it appeared in 2016 might not be able to accurately correlate it with the present-day iteration of Trickbot unless they already had prior knowledge of it — and also knew what to look for when it comes to indicators.

Ideally, organizations should have security personnel who have intimate knowledge of the cybersecurity landscape and experience with malware families like Trickbot. However, personnel and resources — especially for cybersecurity considerations — are often in short supply. To address this challenge, organizations can look into sourcing third-party security services offering managed detection and response (MDR), such as Trend Micro™ Managed XDR, which offers a wide scope of visibility and expert security analytics by integrating detection and response functions across networks, endpoints, emails, servers, and cloud workloads. Through this service, organizations will have access to the whole knowledge base of Trend Micro, including prior analysis of Trickbot and other similarly sophisticated threats.

[Read: Trickbot brings its whole bag of tricks to the table]

Furthermore, users and enterprises can benefit from security technology that employs a multilayered approach to mitigate the risks brought by threats like Trickbot. Trend Micro XGen™ security provides a cross-generational blend of threat defense techniques to protect systems from all types of threats, including banking trojans, ransomware, and cryptocurrency-mining malware. It features high-fidelity machine learning on gateways and endpoints, and protects physical, virtual, and cloud workloads. With capabilities like web/URL filtering, behavioral analysis, and custom sandboxing, XGen security protects against today’s threats with various capabilities: bypassing traditional controls; exploiting known, unknown, or undisclosed vulnerabilities; either stealing or encrypting personally identifiable data; or conducting malicious cryptocurrency mining. Smart, optimized, and connected, XGen security powers Trend Micro’s suite of security solutions.


Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.