14 DAY TRIAL // Once known as a run-of-the-mill banking trojan with phishing abilities, Trickbot has been upgraded lately with new malware modules designed to expand its capabilities and allow the actors behind it to collect even more data from compromised machines.
As reported by Trend Micro, screen-locking and detection evasions were added to Trickbot in March, and this month its authors added a new password grabber module (aka PasswordGrabber) that makes it possible to collect and exfiltrate passwords from infected systems.
Moreover, Trickbot now can scan for passwords in the Microsoft Outlook, Filezilla, and WinScp programs and the Google Chrome, Mozilla Firefox, Internet Explorer, and Microsoft Edge web browsers.
The new Trickbot variant has been observed by Trend Micro while targeting victims from multiple countries around the globe, with the United States, Canada, and the Philippines being the ones hit the most.
Trickbot's developers update its capabilities by pushing the new modules from the malware's command and control (C&C) server.
The recently added password grabber module is also designed to scan for, harvest, and exfiltrate usernames and passwords, Internet cookies, browsing history, autofills, and HTTP Posts to its masters.
PasswordGrabber module can harvest passwords from web browsers and Windows programs
The good news, for now, is that Trickbot's PasswordGrabber malware module will not steal passwords from password managers installed on infected machines, but Trend Micro's researchers haven't yet been able to look into the trojan's ability to acquire data from their browser add-ons.
Trickbot is now also capable of achieving persistence on compromised computers by adding a Windows auto-start service capable of relaunching the trojan after every system reboot.
The Trickbot malware infects targets via malvertising campaigns but it can also self-propagate using automated worm-like propagation methods.
TrickBot was first detected in 2016, and it is believed to be based on the Dyreza banking Trojan. Besides being able to target and infect a large assortment of international banks using webinjects modules to inject both JavaScript and HTML code into websites before being rendered in the target's web browser.
It is also capable of stealing cryptocurrency from Bitcoin wallets, as well as collect credentials and emails using Mimikatz.