A malware researcher named Brad Duncan observed Trickbot’s new module on July 2, 2019, while the Trickbot infection delivered a malicious file named “cookiesDLL64”.
What is the new module?
The new module dubbed ‘Gookie Grabber’ is designed for stealing browser cookies. This module is capable of stealing texts that websites save in the browser for various purposes such as remembering the login state, website preferences, personalized content, or for tracking a user’s browsing activity.
“2019-07-02 - Is this cookiesDll a new #Trickbot module? - Very interesting. - Seen from an infection of Trickbot gtag: ono5 earlier today. -https://app.any.run/tasks/f1cab70c-6ed9-4cf2-a7a1-... … - cc: @hasherezade, @VK_Intel, @James_inthe_box, @mesa_matt (and others I can't think of off the top of my head),” Duncan tweeted.
Another researcher named Vitali Kremez confirmed the module. “Nice find. Indeed, this is the new #TrickBot "#CookieGrabber" browser module (with local db parser) is released with the usual export ord (Start, Control, Release, FreeBuffer) and dpost config,” Kremez replied to Duncan's tweet.
Kremez added that the new module's build date was June 27, and it targeted the cookie storage databases of all major web browsers including Chrome, Firefox, Internet Explorer, and Microsoft Edge.
Cookie Grabber module is completely standalone and comes with its own configuration file.
“I think they are separating each functionality into separate modular components,” the researcher told BleepingComputer.