The infamous trickbot trojan has now acquired new capablilites of stealing credentials. Read on to know more about it…
First analyzed in October 2016, Trickbot is thought to be the work of the same cybercriminals who created Cutwail, Vawtrak, and Pushdo. When it emerged on the scene, it was a fairly simple threat with a limited number of targeted financial institutions. An update arrived about a month later, however, and experts quickly realized that they have a serious piece of malware on their hands. Within mere weeks of releasing the first version, Trickbot’s authors had already managed to include both redirection and server-side web injection mechanisms into their trojan. Trickbot might not have been the first banking malware to use the two techniques, but it was the first to do it so soon after its debut. The gang had more than a few other tricks up their sleeves.
Even in the first version, the security researchers saw that Trickbot’s design allows for the easy addition of modules that could diversify its criminal activities. In the summer of 2017, the cyber crooks implemented a component that stole login credentials not only for banking accounts, but for customer relationship management systems as well, and shortly after, they added many new entries to the list of targeted financial institutions. The Trickbot gang were now harassing users in close to twenty countries.
In couple of years, Trickbot transformed from a new trojan to an established name in the online threat landscape. For some reason, many people continue to classify it as a banking trojan, but those who have actually analyzed it in details know that it’s a bit more than that. The new Trickbot trojan is now updated with standalone cookie stealing module.
A malware researcher named Brad Duncan observed Trickbot’s new module on July 2, 2019, while the Trickbot infection delivered a malicious file named “cookiesDLL64″. The new module dubbed ‘Gookie Grabber’ is designed for stealing browser cookies. This module is capable of stealing texts that websites save in the browser for various purposes such as remembering the login state, website preferences, personalized content, or for tracking a user’s browsing activity. “I think they are separating each functionality into separate modular components,” the researcher told BleepingComputer.
Cookie Grabber module targets the cookie storage databases of all major web browsers including Chrome, Firefox, Internet Explorer, and Microsoft Edge. Cookie Grabber module is completely standalone and comes with its own configuration file. This implies that once delivered to a victim host, the malware operators can control the module independently. Standalone modules offer finer control over each feature and enable flexibility in customizing the malware capabilities according to the purpose of each campaign.
“2019-07-02 – Is this cookiesDll a new #Trickbot module? – Very interesting. – Seen from an infection of Trickbot gtag: ono5 earlier today. -https://app.any.run/tasks/f1cab70c-6ed9-4cf2-a7a1-… … – cc: @hasherezade, @VK_Intel, @James_inthe_box, @mesa_matt (and others I can’t think of off the top of my head),” Duncan tweeted.
Another researcher named Vitali Kremez confirmed the module. “Nice find. Indeed, this is the new #TrickBot “#CookieGrabber” browser module (with local db parser) is released with the usual export ord (Start, Control, Release, FreeBuffer) and dpost config,” Kremez replied to Duncan’s tweet.
Kremez added that the new module’s build date was June 27, and it targeted the cookie storage databases of all major web browsers including Chrome, Firefox, Internet Explorer, and Microsoft Edge.