Delaware, USA – November 25, 2019 – TrickBot authors have been testing the possibility of stealing OpenSSH and OpenVPN sensitive data: passwords, private keys, and configuration files since the beginning of the month. The first infection with trojan using the updated password grabber module occurred on November 8, Palo Alto Network researchers analyzed the discovered sample and published a report describing new TrickBot’s functions. So far, researches discovered only a sample targeting 64-bit Windows systems, it utilizes HTTP POST requests to exfiltrate OpenVPN configuration files and passwords and OpenSSH private keys to attackers’ servers. Good news: despite the added functionality, the examined malware sample could not steal and transfer data from test systems running Windows 7 and Windows 10, this is probably one of the first tests of the functions in the wild. Bad news: more than two weeks have passed since a password grabber module with new functions was deployed, and attackers could release a fully working module during this time. Researchers also confirmed the ability of the TrickBot trojan to steal SSH passwords and private keys from PuTTY, this feature was added in one of the previous module updates.
The threat actor behind TrickBot infection not only updates existing modules but also adds new ones. This summer, researchers discovered three new modules to attack users of US-based mobile carriers: Verizon Wireless, T-Mobile, and Sprint, and downloader of the malware learned extra tricks to disable Windows Defender. The new functionality of the Trojan will facilitate access to corporate networks, which in turn will open the way for Ryuk ransomware affiliates.
The rules to detect TricBot banking trojan are available on Threat Detection Marketplace.
Trickbot Execution by Florian Roth https://tdm.socprime.com/tdm/info/DGNlrOOiuHe1/
Possible TrickBot Activity OR WinDefend Manipulation by Roman Ranskyi https://tdm.socprime.com/tdm/info/YsNZIK6sC0SM/
TrickBot Detector (Sysmon) by Alexandr Yampolskyi https://tdm.socprime.com/tdm/info/sHiuZ4mbPMXt/
Trickbot Malware Detector (Sysmon Behavior)(July 2019) by Lee Archinal https://tdm.socprime.com/tdm/info/s06qUuUPHuOY/