Thursday, April 18, 2024

Hackers Launching Trickbot Malware That Steals VNC, PuTTY and RDP Credentials

The new variant of infamous trickbot malware comes with the capability of grabbing remote application login credentials.

Trickbot is a banking malware which steals login credentials from applications, it was discovered long back ago, the threat actors continiously adding new capabilities to the malware.

Security researchers from TrendMicro observed the bew variant that bagged with extensive number of tricks to grab the login credentials.

Trickbot Infection Chain

The infection chains start with an Email appear to be a tax incentive notification from a financial institution. The Email contains an macro enabled Microsoft Excel spreadsheet. For string encryption the trickbot variant uses XOR or SUB routines.

Infection chain for the malware

Once the user open’s malicious spreadsheet the macro runs and downloads the trickbot malware and activate’s on the infected machine.

The 2019 trickbot variant adds the the following three new functions

  • Virtual Network Computing (VNC)
  • PuTTY
  • Remote Desktop Protocol (RDP) platforms

Virtual Network Computing (VNC)

Inorder to grab login credentials, the pwgrab modules uses to search for vnc.lnk located in the following directories, ready TrendMicro blog post.

%USERPROFILE%\Documents, %USERPROFILE%\Downloads

It exfiltrates the following information from the infected machine and post to the command-and-control (C&C) servers.

  • Target machine’s hostname
  • Port
  • Proxy settings

Stolen Information being exfiltrated to the C&C server.


To grab the putty credentials it queries the Software\SimonTatham\Putty\Sessions to identify the saved sessions and grabs the following information.

  • Hostname and Username
  • The private key for Authentication


It uses the CredEnumerateA API to look for the saved login credentials and exfiltrates the hostname, username, and password.

Indicators of Compromise (IOCs)

Trickbot (Detected as TrojanSpy.Win32.TRICKBOT.AZ)

  • 374ef83de2b254c4970b830bb93a1dd79955945d24b824a0b35636e14355fe05

Trickbot (Detected as Trojan.Win32.MERETAM.AD)

  • Fcfb911e57e71174a31eae79433f12c73f72b7e6d088f2f35125cfdf10d2e1af

Also Read:

New Trickbot Malware Steal Password & Other Sensitive Data From Microsoft Outlook,Chrome,Firefox, IE, Edge

Trickbot Malware Re-emerging via MS Word Documents with Powerful Code-Injection Technique

Upgraded TrickBot Malware Attack Point-of-Sale Machines & Services to Steal Credit/Debit card Data


Latest articles

Xiid SealedTunnel: Unfazed by Yet Another Critical Firewall Vulnerability (CVE-2024-3400)

In the wake of the recent disclosure of a critical vulnerability (CVE-2024-3400) affecting a...

Cerber Linux Ransomware Exploits Atlassian Servers to Take Full Control

Security researchers at Cado Security Labs have uncovered a new variant of the Cerber...

FGVulDet – New Vulnerability Detector to Analyze Source Code

Detecting source code vulnerabilities aims to protect software systems from attacks by identifying inherent...

North Korean Hackers Abuse DMARC To Legitimize Their Emails

DMARC is targeted by hackers as this serves to act as a preventative measure...

L00KUPRU Ransomware Attackers discovered in the wild

A new variant of the Xorist ransomware, dubbed L00KUPRU, has been discovered in the...

Oracle Releases Biggest Security Update in 2024 – 372 Vulnerabilities Are Fixed – Update Now!

Oracle has released its April 2024 Critical Patch Update (CPU), addressing 372 security vulnerabilities...

Outlook Login Panel Themed Phishing Attack Evaded All Antivirus Detections

Cybersecurity researchers have uncovered a new phishing attack that has bypassed all antivirus detections.The...
Guru baran
Guru baran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.


Mastering WAAP/WAF ROI Analysis

As the importance of compliance and safeguarding critical websites and APIs grows, Web Application and API Protection (WAAP) solutions play an integral role.
Key takeaways include:

  • Pricing models
  • Cost Estimation
  • ROI Calculation

Related Articles