Wednesday, April 2, 2025
Follow us On Linkedin
HomeComputer SecurityHackers Launching Trickbot Malware That Steals VNC, PuTTY and RDP Credentials

Hackers Launching Trickbot Malware That Steals VNC, PuTTY and RDP Credentials

Computer SecurityMalwarePassword Attacks

Published on

By Gurubaran
Hackers Launching Trickbot Malware That Steals VNC, PuTTY and RDP Credentials

Supply Chain Attack Prevention

SIEM as a Service

Follow Us on Google News

The new variant of infamous trickbot malware comes with the capability of grabbing remote application login credentials.

Trickbot is a banking malware which steals login credentials from applications, it was discovered long back ago, the threat actors continiously adding new capabilities to the malware.

Security researchers from TrendMicro observed the bew variant that bagged with extensive number of tricks to grab the login credentials.

Trickbot Infection Chain

The infection chains start with an Email appear to be a tax incentive notification from a financial institution. The Email contains an macro enabled Microsoft Excel spreadsheet. For string encryption the trickbot variant uses XOR or SUB routines.


Infection chain for the malware

Once the user open’s malicious spreadsheet the macro runs and downloads the trickbot malware and activate’s on the infected machine.

The 2019 trickbot variant adds the the following three new functions

  • Virtual Network Computing (VNC)
  • PuTTY
  • Remote Desktop Protocol (RDP) platforms

Virtual Network Computing (VNC)

Inorder to grab login credentials, the pwgrab modules uses to search for vnc.lnk located in the following directories, ready TrendMicro blog post.

%APPDATA%\Microsoft\Windows\Recent

%USERPROFILE%\Documents, %USERPROFILE%\Downloads

It exfiltrates the following information from the infected machine and post to the command-and-control (C&C) servers.

  • Target machine’s hostname
  • Port
  • Proxy settings

Stolen Information being exfiltrated to the C&C server.

PUTTY

To grab the putty credentials it queries the Software\SimonTatham\Putty\Sessions to identify the saved sessions and grabs the following information.

  • Hostname and Username
  • The private key for Authentication

RDP

It uses the CredEnumerateA API to look for the saved login credentials and exfiltrates the hostname, username, and password.

Indicators of Compromise (IOCs)

Trickbot (Detected as TrojanSpy.Win32.TRICKBOT.AZ)

  • 374ef83de2b254c4970b830bb93a1dd79955945d24b824a0b35636e14355fe05

Trickbot (Detected as Trojan.Win32.MERETAM.AD)

  • Fcfb911e57e71174a31eae79433f12c73f72b7e6d088f2f35125cfdf10d2e1af

Also Read:

New Trickbot Malware Steal Password & Other Sensitive Data From Microsoft Outlook,Chrome,Firefox, IE, Edge

Trickbot Malware Re-emerging via MS Word Documents with Powerful Code-Injection Technique

Upgraded TrickBot Malware Attack Point-of-Sale Machines & Services to Steal Credit/Debit card Data

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Cyber Security News

Firefox 137 Launches with Patches for High-Severity Security Flaws

Mozilla has officially launched Firefox 137 with crucial security fixes aimed at addressing several...
CVE/vulnerability

Google Cloud Platform Vulnerability Exposes Sensitive Data to Attackers

A privilege escalation vulnerability in Google Cloud Platform (GCP), dubbed "ImageRunner," was recently discovered...
Apple

Apple Fined $162 Million by France Authorities for Mobile Ad Market Domination

French antitrust regulators have imposed a hefty fine of €150 million ($162.4 million) on...
CVE/vulnerability

20,000 WordPress Sites at Risk of File Upload & Deletion Exploits

A critical security alert has been issued to WordPress site administrators following the discovery...

Supply Chain Attack Prevention

Free Webinar - Supply Chain Attack Prevention

Recent attacks like Polyfill[.]io show how compromised third-party components become backdoors for hackers. PCI DSS 4.0’s Requirement 6.4.3 mandates stricter browser script controls, while Requirement 12.8 focuses on securing third-party providers.

Join Vivekanand Gopalan (VP of Products – Indusface) and Phani Deepak Akella (VP of Marketing – Indusface) as they break down these compliance requirements and share strategies to protect your applications from supply chain attacks.

Discussion points

Meeting PCI DSS 4.0 mandates.
Blocking malicious components and unauthorized JavaScript execution.
PIdentifying attack surfaces from third-party dependencies.
Preventing man-in-the-browser attacks with proactive monitoring.

Register Now

More like this

cyber security

Gootloader Malware Spreads via Google Ads with Weaponized Documents

The notorious Gootloader malware has resurfaced with a new campaign that combines old tactics...
Botnet

New Outlaw Linux Malware Using SSH brute-forcing To Maintain Botnet Activities for long Time

A persistent Linux malware known as "Outlaw" has been identified leveraging unsophisticated yet effective...
Cyber Security News

Hackers Exploit Microsoft Teams Messages to Deliver Malware

Cybersecurity experts have uncovered a new malware campaign targeting Microsoft Teams users to infiltrate...

GBHackers on Security is a top cybersecurity news platform, delivering up-to-date coverage on breaches, emerging threats, malware, vulnerabilities, and global cyber incidents.

Company

Trending

Categories

Copyright @ 2016 - 2025 GBHackers On Security - All Rights Reserved