TrickBot Trojan Getting Ready to Steal OpenSSH and OpenVPN Keys
The Trickbot banking trojan keeps evolving according to researchers who spotted this week an updated password grabber module that could be used to steal OpenSSH private keys and OpenVPN passwords and configuration files.
TrickBot (also known as Trickster, TrickLoader, and TheTrick) is a modular and constantly updated malware continuously upgraded with new capabilities and modules since October 2016 when it was initially spotted in the wild.
Even though the first detected variants only came with banking Trojan capabilities it used to collect and exfiltrate sensitive data to its masters, TrickBot is now also a popular malware dropper observed while infecting systems with other, some times more dangerous, malware strains.
Newly targeted OpenSSH and OpenVPN apps
Trickbot just-updated password grabbing module that now targets the OpenSSH and OpenVPN applications was discovered by researchers at Palo Alto Networks' Unit 42 on a compromised 64-bit Windows 7 device on November 8.
The pwgrab64 password grabber module they found is not a new addition, as it was spotted by researchers back in November 2018 while analyzing a variant capable of looting passwords from several web browsers and apps like Google Chrome, Mozilla Firefox, Internet Explorer, Microsoft Edge, Microsoft Outlook, Filezilla, and WinSCP.
In February, this password stealer module got upgraded to grab credentials utilized to authenticate to remote servers using VNC, PuTTY, and Remote Desktop Protocol (RDP).
The Unit 42 researchers now discovered that Trickbot is now using HTTP POST requests to send OpenSSH private keys and OpenVPN passwords and configuration files to its command and control (C2) servers.
However, as they later found after taking a closer look at the malware's C2 traffic on infected Windows 7 and Windows 10 hosts, the Trojan does not actually exfiltrate any data yet, hinting at the fact that its creators are only testing this newly added capability.
As they further determined, this new Trickbot variant is still as dangerous as ever seeing that it can still grab private keys from SSH-related applications such as PuTTY and deliver them to its operators.
"These updated traffic patterns demonstrate Trickbot continues to evolve. However, best security practices like running fully-patched and up-to-date versions of Microsoft Windows will hinder or stop Trickbot infections," the Unit 42 research team concluded.
Regularly upgraded banking Trojan
TrickBot is also one of today's most aggressive malware after replacing Emotet as the most distributed strain via malspam until the latter was revived during August [1, 2].
In August, Trickbot operators targeted Verizon Wireless, T-Mobile, and Sprint users attempting to steal their PIN codes via dynamic webinjects and also used the Google Docs online word processor to infect unsuspecting victims using executables camouflaged as PDF documents.
This chart shows the number of Emotet Vs. TrickBot malware samples since Jan 2019. You can clearly see the disappearance of Emotet malspam campaigns end of May and the rise of TrickBot in July that is nowadays used to deploy Ransomware on corporate networks pic.twitter.com/IdPoGxYMbO
â abuse.ch (@abuse_ch) August 13, 2019
TrickBot also got updated with Windows Defender circumventing capabilities, was upgraded with a new IcedID proxy module for stealing banking info, and its creators introduced a new module for stealing browser cookies during July.
During January, FireEye and CrowdStrike researchers discovered that TrickBot moved into the Access-as-a-Service business, enabling other actors to get access to networks it had previously infected, providing them with reverse shells to infiltrate the rest of the network and dropping their payloads.
Even further back, in July 2017, Trickbot became capable of self-propagation via a self-spreading component that improved its capability to rapidly spread over entire networks.
Gloss