Tuesday, November 5, 2024
HomeComputer SecurityNew Trickbot Malware Steal Password & Other Sensitive Data From Microsoft Outlook,Chrome,Firefox,...

New Trickbot Malware Steal Password & Other Sensitive Data From Microsoft Outlook,Chrome,Firefox, IE, Edge

Published on

Malware protection

Trickbot Malware reemerging with new ticks and future to steal various sensitive information such as passwords, History, cookies from application & Browsers.

New Trickbot arriving with new password grabber module that targets the Applications & browsers including Microsoft Outlook, Filezilla, WinSCP, Google Chrome, Mozilla Firefox, Internet Explorer, and Microsoft Edge.

Cybercriminals continually adding new sophisticated functionality with Trickbot malware that provide more evasion future and bypass the security software detection.

- Advertisement - SIEM as a Service

It mainly targets both corporate network and individuals in various countries such as United States, Canada, and the Philippines. There is a various module that trickbot had in previous attackers and now TrendMicro researchers identified password new grabbing module (pwgrab32) along with various modules.

Trickbot Malware Infection process

Malware authors working hard to keep adding new future and its getting download the update from the new modules via C2 server and there are many modules are added within this Trickbot campaign, let see it one by one.

Initially, a new module that researchers find out from this new Trickbot malware is pwgrab32 or PasswordGrabber that perform stealing operation in browsers and applications from affected windows system.

It steals the Passwords from the following applications – FileZilla, Microsoft Outlook.

A screen capture of the new module’s code that steals FTP passwords from FileZilla
A screen capture of the new module’s code that steals Microsoft Outlook credentials

The same module stealing various sensitive information apart from the passwords including Usernames and Passwords, Internet Cookies, Browsing History, Autofills, HTTP Posts fromChrome, Mozilla Firefox, Internet Explorer, and Microsoft Edge.

The second module is shareDll32 helps Trickbot malware to propagate across the infected network and download the copy of itself from the C2 server.

It uses 2 main functions WNetEnumResource and GetComputerNameW in order to the enumerates and identifies systems connected on the same domain.

According to Trend Micro research,To make the malware more persistent, it has an auto-start service that allows Trickbot to run whenever the machine boots. This service can have the following display names:
  • Service Techno
  • Service_Techno2
  • Technics-service2
  • Technoservices
  • Advanced-Technic-Service
  • ServiceTechno5
  • wormDll32 module – Identify servers and domain controllers in the network using NetServerEnum and LDAP queries.
  • networkDll32 module -Scan the network and steal relevant network information
  • importDll32 module – Responsible for stealing browser data such as browsing history, cookies, and plug-ins
  • systeminfo32 module – Gather system information such as OS, CPU, and memory information, user accounts, lists of installed programs and services.-
  • mailsearcher32 module –  searches the infected system’s files to gather email addresses for information-stealing
  • injectDll32 module –  monitors websites that are banking applications.

Also Read:

Malware Re-emerging via MS Word Documents with Powerful Code-Injection Technique

New Version of Trickbot Trojan Spread via Local SMB to Perform NetServer and LDAP Enumeration

Banking Trojan “Trickbot” Powered by Necurs Targeting Financial Institutions

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Threat Actor IntelBroker Claims Leak of Nokia’s Source Code

The threat actor known as IntelBroker, in collaboration with EnergyWeaponUser, has claimed responsibility for...

Evasive Panda Attacking Cloud Services To Steal Data Using New Toolkit

The Evasive Panda group deployed a new C# framework named CloudScout to target a...

Massive Midnight Blizzard Phishing Attack Using Weaponized RDP Files

Researchers warn of ongoing spear-phishing attacks by Russian threat actor Midnight Blizzard targeting individuals...

Sophisticated Phishing Attack Targeting Ukraine Military Sectors

The Ukrainian Cyber Emergency Response Team discovered a targeted phishing campaign launched by UAC-0215...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Threat Actor IntelBroker Claims Leak of Nokia’s Source Code

The threat actor known as IntelBroker, in collaboration with EnergyWeaponUser, has claimed responsibility for...

Evasive Panda Attacking Cloud Services To Steal Data Using New Toolkit

The Evasive Panda group deployed a new C# framework named CloudScout to target a...

Massive Midnight Blizzard Phishing Attack Using Weaponized RDP Files

Researchers warn of ongoing spear-phishing attacks by Russian threat actor Midnight Blizzard targeting individuals...