INSUBCONTINENT EXCLUSIVE:
Trickbot is a modular malware which was first observed in 2016 and it steals system information, login credentials and other sensitive data
from vulnerable Windows machines.However, in November, security researchers from Palo Alto Networks began to see indicators that Trickbots'
password grabber module had begun to target data from OpenSSH and OpenVPN applications.When a Windows host is infected with Trickbot, it
downloads different modules to perform various functions
The modules themselves are stored as encrypted binaries in a folder located in the infected system's AppData\Roaming directory and they are
then decoded as DLL files that run from system memory.Pwgrab64 is a password grabber used by Trickbot and this module retrieves login
credentials stored in a victim's browser cache but it can also obtain login credentials from other applications installed on a victim's
host.Traffic patterns from recent Trickbot infections were fairly consistent until November when Palo Alto Networks started seeing two new
HTTP POST requests for OpenSSH private keys and OpenVPN passwords and configs caused by the malware's password grabber.Thankfully these
updates to Trickbot's password grabber module may not be fully functional yet as the researchers did not see any actual data from OpenVPN
contained in the traffic coming from the malware
They also set up Trickbot infections in lab environments where HTTP POST requests generated by the password grabber for OpenSSH and OpenVPN
contained no data.However, Trickbot's password grabber does indeed work and will still obtain SSH passwords and private keys from an
SSH/Telnet client named PuTTY.The updated traffic patterns discovered by Palo Alto Networks show that Trickbot continues to evolve but users
can avoid falling victim to this malware by running fully-patched and up-to-date versions of Microsoft Windows.Also check out our complete
list of the best VPN services
