TrickBot Evolves to Go After SSH Keys

trickbot ssh keys

The info-stealing malware has updated its password-grabbing module.

The TrickBot info-stealing malware has updated its password grabber to target data from OpenSSH and OpenVPN applications.

OpenSSH is a connectivity tool for remote login with the SSH protocol; it encrypts all traffic to eliminate eavesdropping. OpenVPN meanwhile is used for secure private networking.

TrickBot takes aim at Windows hosts and then downloads different modules to perform various functions. One of these, named pwgrab64, retrieves login credentials stored in a victim’s browser cache, and from any installed applications.

“The password grabber and some other TrickBot modules send stolen data using unencrypted HTTP over TCP port 8082 to an IP address used by TrickBot,” explained researchers at Palo Alto Networks’ Unit 42 group, in a posting on Friday. “The URL in the HTTP POST request ends with the number 81. This number is used in URLs generated by TrickBot’s password-grabber module.”

This has allowed the researchers to track traffic patterns specific to this module from recent TrickBot infections. And earlier this month, Unit 42 started seeing two new HTTP POST requests caused by the password grabber: OpenSSH private keys; and OpenVPN passwords and configuration files. It also will grab sensitive data like private keys from SSH-related applications, such as an SSH/Telnet client named PuTTY.

Kevin Bocek, vice president of security strategy and threat intelligence at Venafi, noted that SSH key are extremely valuable for adversaries. SSH keys SSH uses public-key cryptography to authenticate remote computers and allow it to authenticate the user, if necessary. There are several ways to use SSH; one is to use automatically generated public-private key pairs to simply encrypt a network connection, and then use password authentication to log on.

“Cyberattackers know that SSH keys can provide complete control over devices, and the latest TrickBot malware is especially proficient at stealing these sensitive credentials,” he said via email. “SSH keys need to be rotated frequently, and the only way to do this effectively is with automation, but many organizations, including banks, never change them…Even worse, many SSH keys never expire so they can be used to create long term backdoors that allow attackers to gain access to networks for months or years.”

He added, “Although SSH keys are used for many kinds of privileged access, most organizations do not have security controls in place to minimize the risks connected with them. Without broader recognition of the pivotal role SSH keys can play in attacks and the implementation of security controls to protect them, organizations will remain at risk to attacks like TrickBot, and the theft of SSH keys, will continue.”

Interestingly, these HTTP POST requests for OpenSSH and OpenVPN occur whether or not the victim’s host has either installed, leading the researchers to conjecture that these two functions aren’t yet fully functional.

“We generated TrickBot infections in lab environments for both Windows 7 and Windows 10 hosts with configured OpenSSH and OpenVPN applications. However, we have not seen any working results,” the researchers noted. “HTTP POST requests generated by the password grabber for OpenSSH and OpenVPN during these infections contained no data.”

However, TrickBot’s password grabber works will successfully grab SSH passwords and private keys from PuTTY, if the client is configured to use a private key for an SSH connection to a cloud server.

“These updated traffic patterns demonstrate TrickBot continues to evolve,” said Unit 42 researchers. “However, best security practices like running fully patched and up-to-date versions of Microsoft Windows will hinder or stop TrickBot infections.”

Since its appearance in 2016, TrickBot has continued to rapidly evolve in both tactics and targeting. Even just in 2019, the malware has switched up its technique to go after remote desktop application credentials and target firms using a tax-themed phishing lure. And in August it was seen targeting users of U.S. mobile carriers Verizon, T-Mobile and Sprint via web injects, in order to steal their PIN codes; enabling SIM swapping attacks.

Is MFA enough to protect modern enterprises in the peak era of data breaches? How can you truly secure consumer accounts? Prevent account takeover? Find out: Catch our free, on-demand Threatpost webinar, “Trends in Fortune 1000 Breach Exposure” to hear advice from breach expert Chip Witt of SpyCloud. Click here to register.

Suggested articles