The Trickbot banking malware has added yet another tool to its arsenal, allowing crooks to steal passwords as well as steal browser data including web history and usernames.
The malware first appeared in 2018, initially focused on stealing banking credentials – but Trickbot is highly customisable and has undergone^( . The latest trick – picked up by researchers at both ^( and ^( – is the addition of a new module designed to steal passwords.
This new Trickbot variant first emerged in October and is delivered to victims via a malicious Excel document.
Like many forms of malware, the malicious package is spread via macros: the user is told their document was created in an older version of Excel and that they must ‘enable content’ to view the file. This allows macros to run and executes malicious VBS code which kicks off the process of the malware download.
The execution goes through a number of processes, culminating in PowerShell being executed to download a final payload from a fake Microsoft Office Excel address.
This payload – pointer.exe – is TrickBot itself, which is listed as “”pointes.exe” once installed. Like previous versions of the malware, it persistently installs itself into the system’s Task Scheduler so it can be run automatically when the machine is operational.
After it has been running for a little time, it downloads a new module – pwgrab32. According to Fortinet, this particular module first emerged in mid-October and as the name suggests, it’s designed to grab password information from the victim’s system.
The password grabber can steal credentials form applications such as Filezilla, Microsoft Outlook, and WinSCP, potentially provide all sorts of information about the infected machine.
In addition to stealing credentials from applications, Trickbot also steals information from web browsers, including usernames and passwords, internet, cookies, browsing history, autofill and HTTP posts. All of these can be exploited to enable the attacker to make off with additional data – and it works on Google Chrome, Mozilla Firefox, Internet Explorer, and Microsoft Edge browsers.
The additional of this password stealer makes Trickbot and even more powerful too, with the ability to steal credentials from across the web – putting victims at risk of theft and fraud on more than just their bank account.
Trickbot’s core ability as a banking trojan also remains monitoring users and which banking URLs they access, including those of institutions in^( , Germany, Australia, Austria, Ireland and Switzerland. The malware uses one of two methods – credential extraction, or a ^( – to gain the user’s login details and get access to the account.
Malware authors continue to update banking trojans like Trickbot and Emotet in order to ensure they can remain undetected for as long as possible. Using a robust security package can go some way to preventing users from falling victim to attacks – as can education on how to avoid spot the suspicious emails which deliver this type of threat.