Trickbot Malware Goes After Remote Desktop Credentials

trickbot banking trojan remote desktop module

The banking trojan is consistently evolving in hopes of boosting its efficacy.

The banking trojan known as Trickbot has resurfaced, with an updated info-stealing module that allows it to harvest remote desktop application credentials.

According to Trend Micro’s Noel Anthony Llimos and Carl Maverick Pascual, a new variant has recently come on the scene, and is being spread via seasonally-themed spam emails that use tax-incentive lures purporting to be from Deloitte. The emails promise help for getting the most out of this year’s changes to the U.S. tax code. Yet attached is a macro-enabled Microsoft Excel spreadsheet, which once activated, will download Trickbot to the victim’s computer.

trickbot tax code spam lure malware

The spam lure for Trickbot 2019. Click to enlarge.

Upon analysis, Trend Micro found the payload to be sporting three new functions for 2019, all within its existing password-grabbing module: It can now steal credentials from the Virtual Network Computing (VNC), PuTTY and Remote Desktop Protocol (RDP) platforms. All three are widely used in business settings in particular.

“In November 2018, we covered a Trickbot variant that came with a password-grabbing module, which allowed it to steal credentials from numerous applications,” Llimos and Pascual said in a posting this week. “In January 2019, we saw Trickbot … with new capabilities added to its already extensive bag of tricks. Its authors clearly aren’t done updating Trickbot.”

To intercept the VNC credentials, including the target machine’s hostname, port and proxy settings, Trickbot’s “pwgrab” module now searches for files using the “*.vnc.lnk” affix that are located in a user’s folders for recent applications and downloads.

“The module will send the required data via POST, which is configured through a downloaded configuration file using the filename ‘dpost,'” the researchers explained. “This file contains a list of command-and-control (C2) servers that will receive the exfiltrated data from the victim.”

For PuTTY credentials, Trickbot queries the registry key (i.e., “Software\SimonTatham\Putty\Sessions”) to identify the saved connection settings. This allows the module to retrieve an array of useful information, such as the host name and user name, and the private key files used for authentication.

And finally, for RDP, Trickbot uses the “CredEnumerateA” API to identify and steal saved credentials.

“It then parses the string “target=TERMSRV” to identify the host name, user name and password saved per RDP credential,” Llimos and Pascual explained.

Trickbot has also added encryption for the strings it uses via simple variants of XOR or SUB routines; and, it’s now using API hashes for indirect API calling. The latter functionality was culled from the Carberp trojan source code, researchers said, which was leaked in 2013.

While Trickbot’s new capabilities aren’t necessarily unique, the fact that it continues to evolve means that its efficacy as a banking trojan is significantly boosted.

“It proves that the groups or individuals behind Trickbot are not resting on their laurels and continuously improve it, making an already-dangerous malware even more effective,” the researchers said.

It added functionality in November as well, in the form of a variant containing a stealthy code-injection technique. Researchers at Cyberbit observed it using sneaky method of performing process-hollowing using direct system calls, anti-analysis techniques and the disabling of security tools.

Trickbot in some ways is taking a page from Emotet, which remains the top banking trojan out there, largely because of its penchant for consistently adding new functionality and evasion techniques. For instance, Emotet was recently seen using attachments for delivery that are disguised as Word documents with a .doc extension – in reality, they’re XML files.

This is a technique used to evade sandboxes, which typically use the true file type of an attachment and not the file’s extension to identify the application they need to run in inside the sandbox.

“Banking trojans … keep evolving and we see more of them and their variants bypassing common security solutions,” BitDam CEO and co-founder Liron Barak told Threatpost this week. “This trend is not going anywhere. Unfortunately, no matter how many security updates and patches are published, malicious actors will continue to get more sophisticated employing innovative tactics.”

Suggested articles