Palo Alto Networks Unit42 provides information on the Trickbot Password Grabber Module. Learn how this old form of malware is relevant today and how you can protect your network from attacks. Got questions? Get answers on LIVEcommunity!
Trickbot is a modular banking trojan, designed to bypass and disable security once it infects a system. Once the system is successfully compromised, it will download modules (chosen by the attacker) to perform all sorts of tasks. Usually, these tasks are to use webinjects to intercept banking transactions or steal Bitcoin wallets. Other modules help to propagate, encrypt its C2 (command, 7, Control), or steal credentials.
By default, the password grabber and several other modules that rely on C2 send unencrypted HTTP out via port 8082, which should be a fairly easy port to spot in your traffic log if you want to ensure nothing fishy is going on in your network.
While up until recently, the password grabber would focus on stealing credentials from the browser cache, and it has recently been spotted trying to pass along OpenSSH private keys and OpenVPN passwords and configs. Luckily, Unit42 found that the mechanism to collect these keys and passwords may be broken, but they did see sensitive data being collected from PuTTY, a popular SSH client.
Since Trickbot is still evolving, vigilance is recommended. Make sure to apply security best practices but also spread awareness among your peers. Fully patching Microsoft Windows workstations goes a long way, enabling our threat prevention platform will protect you further. AutoFocus users can track Trickbot activity by using the Trickbot tag.