New Trickbot variant can steal credentials and browser history

  • The new malware was discovered on October 16 and is written in Delphi.
  • The malware also uses several anti-analysis techniques to evade detection.

The notorious banking malware Trickbot has just added some new additions to its bag of tricks. The malware is now capable of stealing credentials, including passwords, as well as browser histories. The new Trickbot variant emerged on October 16 and is written in Delphi.

Trickbot is now distributed via a malicious Excel document. It also uses several anti-analysis techniques to evade detection. Trickbot was originally discovered in 2016 and at the time, focused on stealing victims’ banking credentials. However, the malware has since undergone several upgrades and now boasts of additional features that allow cybercriminals to exfiltrate a wide variety of sensitive user data.

According to security experts at Fortinet, Trickbot’s new module “pwgrab32”, is designed to steal credentials from applications such as Microsoft Outlook, Filezilla, and WinSCP, as well as steal system information.

“One interesting thing I found in the “pwgrab32” code is that it encrypts plaintext byte by byte, decrypts it back to plain text, and uses that decrypted plain text. Is this a joke by the Trickbot author? No, it should be an anti-analysis technique to hide plain text. However, I think the author simply forgot to remove the decryption function and replace the plain text with the encrypted one before compiling this module. This error appears many times throughout the pwgrab32 module,” Fortinet researcher Xiaopeng Zhang wrote in a blog.

What is more, Trickbot is now also capable of stealing browser data such as usernames and passwords, cookies, browsing history, autofill, and HTTP posts. These new features are in addition to Trickbot’s original capabilities, which involved tracking users and the banking sites they frequent. The malware is known to be capable of tracking financial institutions across the US, UK, Canada, Germany, Austria, Australia, Switzerland, and Ireland, ZDNet reported.

The new additions to Trickbot indicate that the cybercriminals operating the malware have no intention of hanging up their boots. It is likely that with the new capabilities, we may see an increase in Trickbot campaigns.