Trickbot is a banking malware which steals login credentials from applications, it was discovered long back ago, the threat actors continiously adding new capabilities to the malware.
Trickbot Infection Chain
The infection chains start with an Email appear to be a tax incentive notification from a financial institution. The Email contains
Once the user open’s malicious spreadsheet the macro runs and downloads the trickbot malware and activate’s on the infected machine.
The 2019 trickbot variant adds the the following three new functions
- Virtual Network Computing (VNC)
- Remote Desktop Protocol (RDP) platforms
Virtual Network Computing (VNC)
Inorder to grab login credentials, the pwgrab modules uses to search for vnc.lnk located in the following directories, ready TrendMicro blog post.
It exfiltrates the following information from the infected machine and post to the command-and-control (C&C) servers.
- Target machine’s hostname
- Proxy settings
To grab the putty credentials it queries the SoftwareSimonTathamPuttySessions to identify the saved sessions and grabs the following information.
- Hostname and Username
- The private key for Authentication
It uses the CredEnumerateA API to look for the saved login credentials and exfiltrates the hostname, username, and password.
Indicators of Compromise (IOCs)
Trickbot (Detected as TrojanSpy.Win32.TRICKBOT.AZ)
Trickbot (Detected as Trojan.Win32.MERETAM.AD)