The latest Trickbot variant gets distributed via a tax incentive notification spam email

• Researchers spotted an updated version of Trickbot that steals remote application credentials.
• This updated Trickbot variant is distributed via an email disguised as tax incentive notification mail from major financial institutions.

Researchers recently spotted a new version of Trickbot (detected as TrojanSpy.Win32.TRICKBOT.AZ and Trojan.Win32.MERETAM.AD) with new capabilities. This new Tickbot variant uses an updated version of the password-grabbing module that steals remote application credentials.

Tax incentive notification spam email

• This updated Trickbot variant is distributed via an email disguised as tax incentive notification mail from major financial institutions.
• The fake tax incentive notification email includes a malicious Microsoft Excel spreadsheet attachment (detected as Trojan.W97M.MERETAM.A).
• The MS Excel attachment is macro-enabled (XLSM) and purportedly contains the details of the tax incentive.
• Once the attachment is opened, the macro downloads and executes Trickbot on the victim’s system.

The updated version steals VNC, PuTTY, and RDP credentials

This new Trickbot variant adds three new functions, one each for stealing credentials from Virtual Network Computing (VNC), PuTTY, and Remote Desktop Protocol (RDP) platforms.

“To grab VNC credentials, the pwgrab module searches for files using the “*.vnc.lnk” affix that are located in the following directories: %APPDATA%\Microsoft\Windows\Recents and %USERPROFILE%\Documents, %USERPROFILE%\Downloads,” the researchers explained in a blog.

The stolen information includes the target machine’s hostname, port, and proxy settings.

To steal PuTTY and RDP credentials, Trickbot will look into the Software\SimonTatham\Putty\Sessions registry key and will use “the CredEnumerateA API to identify and steal saved credentials. It then parses the string ‘target=TERMSRV’ to identify the hostname, username, and password saved per RDP credential.

“The module will send the required data via POST, which is configured through a downloaded configuration file using the filename ‘dpost’. This file contains a list of command-and-control (C&C) servers that will receive the exfiltrated data from the victim,” researchers explained.

Recommendations

The researchers provide the following recommendations to safeguard against this kind of attack.

• Users are advised to be aware about the typical characteristics of a spam email, such as an unknown sender address and multiple grammatical errors.
• Furthermore, its advised for all users to avoid opening email attachments from unknown sources.