New Module for Trickbot Trojan Malware Discovered

Hackers are distributing a new module for the Trickbot malware through a phishing campaign. The update renders the Trojan variant capable of obtaining VNC, PuTTY, and remote desktop credentials.

Hackers are spreading the latest updates through a phishing campaign in which spam emails purporting to offer help with recent changes to the U.S. tax code to reduce tax bills are used to trick recipients into downloading the malware.

Trojans are malware variants that are disguised as benign or useful pieces of software. They are installed under false pretences, as the user is often tricked into believing that they serve a legitimate purpose. Once executed on a server, the hacker can then gain access to the system and steal valuable information for nefarious purposes. The Trojans are often installed through a phishing campaign.

The hackers have spoofed the accounting organisation Deloitte in the emails. The subject line has tax incentive-related title, thereby enticing unsuspecting users to open the emails. The emails contain an Excel file (XLSM) attachment that contains a malicious macro that downloads the Trickbot Trojan. The latest Trickbot variant includes an updated pwgrab module with three new functions for Virtual Network Computing (VNC), PuTTY, and RDP. The malware is capable of obtaining credentials for these platforms, along with hostnames, port, and proxy settings and exfiltrates the data to the attacker’s C2 servers.

Hackers frequently issue updates for the Trickbot Trojan. The updates include anti-analysis protection and the ability to disable some security tools. The pwgrab password-stealing module was added to the Trojan in November 2018.

Trend Micro identified the latest version of the Trojan in January 2019. Trend Micro notes that the latest updates make this already dangerous malware even more of a threat.

Phishing attacks pose significant threats to a wide variety of industries, including the financial and healthcare sectors. Organisations should endeavour to ensure that they have robust and updates cybersecurity safeguards in place to minimise the number of spam emails reaching employee inboxes. It only takes one employee to fall for a scam for a network to be compromised, so the fewer chances the hackers have, the better.

Employees should receive security awareness training, such as how to spot suspicious emails. Employees should be warned not to open emails or download attachments from unknown senders. If they do make an error, employees should be encouraged to notify the IT department of their mistake so that the proper procedures can be followed to rectify the error.