Trickbot Starts Collecting RDP Credentials

Delaware, USA – February 18, 2019 – Trickbot became interested in victims’ credentials at the end of last year, and just a few months later, malware authors expanded the trojan’s functions adding capabilities of stealing RDP credentials. Trend Micro’s experts analyzed the latest campaign and discovered new features in one of its modules. In addition to RDP credentials, the password-stealing module now targets PuTTY and Virtual Network Computing platforms. The new campaign does not differ in creativity: victim receives phishing email containing MS Exel file with a malicious script that installs the actual version of the malware. The Trojan exfiltrates the collected information to the listed C&C servers using POST.

Authors of the Trickbot malware continue to expand its capabilities, as do the authors of Emotet, who have turned their malware into the number one threat among banking trojans. Focusing on credentials for remote access will allow attackers to monetize a successful infection if the victim’s system does not contain valuable banking data. Compromised accounts can be used both to infect systems with coinminers and to drop ransomware infection to attacked organization’s servers. You can detect traces of the fresh version of Trickbot on your network using updated rules from Threat Detection Marketplace: https://tdm.socprime.com/tdm/info/1441/
You can also leverage the VPN Security Monitor rule pack to uncover signs of unauthorized access to your network: https://my.socprime.com/en/integrations/vpn-security-monitor-hpe-arcsight