This banking malware just added password and browser history stealing to its playbook

Latest version of the malware uses Excel to install information stealing campaign.
Written by Danny Palmer, Senior Writer

The Trickbot banking malware has added yet another tool to its arsenal, allowing crooks to steal passwords as well as steal browser data including web history and usernames.

The malware first appeared in 2016, initially focused on stealing banking credentials -- but Trickbot is highly customisable and has undergone a series of updates since then. The latest trick -- picked up by researchers at both Trend Micro and Fortinet -- is the addition of a new module designed to steal passwords.

This new Trickbot variant first emerged in October and is delivered to victims via a malicious Excel document.

Like many forms of malware, the malicious package is spread via macros: the user is told their document was created in an older version of Excel and that they must 'enable content' to view the file. This allows macros to run and executes malicious VBS code which kicks off the process of the malware download.


Sep_report.xls decoy document used to deliver Trickbot.

Image: Fortinet

The execution goes through a number of processes, culminating in PowerShell being executed to download a final payload from a fake Microsoft Office Excel address.

This payload - pointer.exe - is TrickBot itself, which is listed as ""pointes.exe" once installed. Like previous versions of the malware, it persistently installs itself into the system's Task Scheduler so it can be run automatically when the machine is operational.

SEE: What is malware? Everything you need to know about viruses, trojans and malicious software

After it has been running for a little time, it downloads a new module, pwgrab32. According to Fortinet, this particular module first emerged in mid-October and, as the name suggests, it's designed to grab password information from the victim's system.

The password grabber can steal credentials form applications such as Filezilla, Microsoft Outlook, and WinSCP, potentially provide all sorts of information about the infected machine.

In addition to stealing credentials from applications, Trickbot also steals information from web browsers, including usernames and passwords, internet, cookies, browsing history, autofill and HTTP posts. All of these can be exploited to enable the attacker to make off with additional data -- and it works on Google Chrome, Mozilla Firefox, Internet Explorer, and Microsoft Edge browsers.

The addition of this password stealer makes Trickbot an even more powerful tool, with the ability to steal credentials from across the web -- putting victims at risk of theft and fraud on more than just their bank account.

Trickbot's core ability as a banking trojan remains monitoring users and the banking URLs they access, including those of institutions in the United States, Canada, the UK, Germany, Australia, Austria, Ireland, and Switzerland. The malware uses one of two methods -- credential extraction, or a fake phishing page which looks like the real thing -- to gain the user's login details and get access to the account.

Malware authors continue to update banking trojans like Trickbot and Emotet in order to ensure they can remain undetected for as long as possible. Using a robust security package can go some way to preventing users from falling victim to attacks -- as can education on how to spot the suspicious emails which deliver this type of threat.


Editorial standards