TrickBot Sample Accidentally Warns Victims They’re Infected

TrickBot, the infamous info-stealing trojan, has been trying out a test module that accidentally pops up fraud alerts to victims.

A sandboxed sample of the trojan, obtained by MalwareHunterTeam and analyzed by Advanced Intelligence’s Vitali Kremez, turns out to contain a new module, called “module 0.6.8,” that carries the file name “grabber.dll.” It works to log browser activity and steal passwords used in Google Chrome, Internet Explorer, Mozilla Firefox and Microsoft Edge, and it sniffs out browser cookies — just like other grabber modules used by TrickBot.

However, this one has an unintended side effect. It immediately alerts victims that they’ve been infected by opening the browser with the alert message. This is bad news for TrickBot operators, who use the malware to set up backdoors on target machines — presumably to maintain persistence and steal as much information as possible.

TrickBot is a rapidly evolving modular malware strain that has been around since 2016, starting life as a banking trojan. Over time, it has gradually extended its functions to include the ability to collect credentials from a victim’s emails, browsers and installed network apps. The malware has also evolved to add more modules and act as a delivery vehicle for other malware, including ransomware like Ryuk.

TrickBot has been busy of late adding backdoor functionality to its bag of tricks. In June, a new stealthy module that researchers call “BazarBackdoor” was added to TrickBot’s arsenal; and in January, researchers found the malware’s operators to be using “PowerTrick,” a backdoor that helped the malware conduct reconnaissance of targeted financial institutions and also fetch yet other backdoors.

According to Kremez’ analysis, the newly discovered grabber module uses several internal C++ code references, such as “grabchrome.cpp,” which align with the usual TrickBot grabber code patterns and functions. It appears that its triggering of browser alerts is a coding mistake, he said.

“Advanced Intelligence assesses with high confidence that this module was likely a test module deployed mistakenly, alerting on the malware activity during the testing phase,” Kremez wrote in a blog posting on Saturday.

Kremez noted that the latest sample offers a window into how TrickBot’s operators are able to develop new functions so quickly – i.e., perhaps by outsourcing the coding duties.

“Based on our assessment, it is hypothesized [that] if developed by an outsider coder, this test module possibly reveals the nature of the TrickBot operations as…hiring coders under the ruse of legitimate anti-malware activity development,” he wrote.

He added that the sample is linked to the “chil48” distribution group, which is one of several known to spread TrickBot in campaigns. Posters on Reddit also began flagging the activity a couple of weeks ago, Bleeping Computer pointed out.

Interestingly, TrickBot operators may soon have yet another new module to deploy: The researcher also found a piece of code called “socksbot.dll,” which he said appears to act as a Socks5 proxy for the malware.

Anyone receiving the warnings should take their machine offline, Kremez recommended, and should reset both their passwords as well as any logged-in sessions, to prevent reuse of stolen cookies.

BEC and enterprise email fraud is surging, but DMARC can help – if it’s done right. On July 15 at 2 p.m. ET, join Valimail Global Technical Director Steve Whittle and Threatpost for a FREE webinar, “DMARC: 7 Common Business Email Mistakes.” This technical “best practices” session will cover constructing, configuring, and managing email authentication protocols to ensure your organization is protected. Click here to register for this Threatpost webinar, sponsored by Valimail.