New malware is targeting VPN users. Trickbot, a modular malware first observed in 2016, steals login credentials, system information, and other private data from vulnerable Windows machines.
Security researchers have warned users to check their systems and update their Windows machines to mitigate threats posed by the new malware.
What is Trickbot Malware?
TrickBot is a trojan that targets Windows Machines. Initially observed back in 2016, it targets banking systems and also steals from Bitcoin wallets.
It also harvests private information such as emails, passwords, and other login credentials.
TrickBot is among the most sophisticated modern modular trojan horse. Its modularity gives it the ability to pull executable files from a command-and-control server and grants attackers better control and access to the infected machines.
Attackers keep making improvements to the malware making it stealthier and able to bypass security controls on user devices. In Windows 10, for example, TrickBot uses a unique mechanism to get attack modules from the control-and-command servers. It uses an encrypted list of IP addresses, as well encrypting responses from C&C servers.
How the New Trickbot Malware Works
A Trickbot infected Windows machine downloads various modules to perform different tasks. The modules are stored in the system’s AppData\Roaming directory folder. They are then decoded as DLL files that run from the system memory.
Pwgrab64, one module Trickbot uses, extracts login credentials stored on a victim’s browser cache but can also gain credentials from other applications on the target host.
Back in November, Palo Alto Networks security researchers started seeing indicators that Pwgrab64, Trickbot’s password grabber module, had targeted information from OpenVPN and OpenSSH applications.
Attacks on OpenSSH and OpenVPN
According to traffic analysis from recent Trickbot infections, Palo Alto Networks began to see new HTTP POST requests for both OpenSSH private keys and OpenVPN passwords and configs. The requests came from Pwgrab64.
However, the updates to Pwgrab64 might not be fully functional according to the security researchers. Traffic analysis from the Trickbot malware showed no actual data from OpenVPN. Other lab tests on the password grabber for OpenVPN and OpenSSH contained no data either.
How to Protect Your Machine
Trickbot’s password grabber works and can still get SSH passwords and private keys from PuTTY, an SSH/Telnet client.
The malware continues to evolve according to Palo Alto Networks.
To stay safe, users should update their computers and ensure you’re running the latest version of Microsoft Windows. Ensure that your anti-virus and anti-spyware software is up to date.