This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Trickbot: Old Malware Still Learns New Tricks

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Trickbot: Old Malware Still Learns New Tricks

reaper
Cyber Elite
Cyber Elite
‎11-28-2019 12:02 PM

Trickbot Malware Graphic Courtesy of Unit42.Trickbot Malware Graphic Courtesy of Unit42.

Palo Alto Networks Unit42 provides information on the Trickbot Password Grabber Module. Learn how this old form of malware is relevant today and how you can protect your network from attacks. Got questions? Get answers on LIVEcommunity!

 

Trickbot is a modular banking trojan, designed to bypass and disable security once it infects a system. Once the system is successfully compromised, it will download modules (chosen by the attacker) to perform all sorts of tasks. Usually, these tasks are to use webinjects to intercept banking transactions or steal Bitcoin wallets. Other modules help to propagate, encrypt its C2 (command, 7, Control), or steal credentials.

 

By default, the password grabber and several other modules that rely on C2 send unencrypted HTTP out via port 8082, which should be a fairly easy port to spot in your traffic log if you want to ensure nothing fishy is going on in your network.

 

While up until recently, the password grabber would focus on stealing credentials from the browser cache, and it has recently been spotted trying to pass along OpenSSH private keys and OpenVPN passwords and configs. Luckily, Unit42 found that the mechanism to collect these keys and passwords may be broken, but they did see sensitive data being collected from PuTTY, a popular SSH client.

 

Since Trickbot is still evolving, vigilance is recommended. Make sure to apply security best practices but also spread awareness among your peers. Fully patching Microsoft Windows workstations goes a long way, enabling our threat prevention platform will protect you further. AutoFocus users can track Trickbot activity by using the Trickbot tag.

 

If you want to read the full analysis of the new password grabber, jump on over to the Unit42 blog: Trickbot Updates Password Grabber Module

 

If you want to do some more investigating on your own network, Unit42 has a great tutorial on how to use Wireshark to examine Trickbot infections: Wireshark Tutorial: Examining Trickbot Infections.

 

 

stay frosty

  • 3635 Views
  • 0 comments
  • 1 Likes
Register or Sign-in
About the Author
I drink and I know things
Labels
Popular Blogs
Top Liked Authors
View All
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks