Trickbot Shows Off New Trick: Password Grabber Module
(Nov 1, 2018)
Trend Micro researchers have identified that threat actors utilising the "Trickbot" banking trojan have added a new feature to the malware to include a password-stealing module. The new module is capable of stealing passwords from multiple applications such as Microsoft Outlook, Filezilla, and WinSCP as well as passwords in web browsers including Chrome, Edge, Firefox, and Internet Explorer. The data that can be stolen includes: autofills, browsing history, HTTP posts, internet cookies, and usernames and passwords. The Trickbot version that contains this new module is primarily targeting individuals in Canada, the Philippines, and the US. Furthermore, this variant has also been observed to contain an auto-start service that allows the malware to run every time an infected machine is started as well as a "shareDll32" module to propagate itself throughout a network. As of this writing, the distribution method for this Trickbot variant has not yet been reported.
Recommendation: Ensure that your company's firewall blocks all entry points for unauthorised users, and maintain records of how normal traffic appears on your network. Therefore, it will be easier to spot unusual traffic and connections to and from your network to potentially identify malicious activity.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.