What once was a banking Trojan has now morphed into a malware family that is capable of information theft, vulnerability exploitation, and rapid propagation among its capabilities, researchers said.
Trickbot first arrived on the scene in 2016, its initial iteration being a banking Trojan that infected computers to steal email passwords and address books to spread malicious emails from compromised accounts.
A few years and multiple transformations later, what was a simple banking Trojan has since mutated into an effective form of malware.
One of the more notable functions of Trickbot is a password-grabbing module (pwgrab) researchers found last year, with the initial version of the module designed to steal credentials from various applications and web browsers, said researchers at Trend Micro in a post.
In February, researchers found the malware’s authors had launched a variant with an upgraded password module, allowing it to retrieve credentials from remote networking tools such Virtual Network Computing (VNC), PuTTY, and Remote Desktop Protocol (RDP) platforms.
In a more recent occurrence, researchers from Palo Alto’s Unit 42 discovered the module has evolved a third time after discovering that Trickbot, which had showed consistent traffic patterns, suddenly sent HTTP POST requests from the pwgrab module.
A closer look revealed these were requests for private keys, passwords, and configuration files sourced from the networking utilities OpenSSH and OpenVPN.
One caveat to the findings is despite these requests being sent to command-and-control (C&C) servers, no data was found to actually have been exfiltrated, Trend Micro researchers said.
In addition, the researchers who discovered the requests also tested the malware variant in a lab environment and likewise found the generated requests did not contain any actual data. This indicates this feature of the module is under development or still being tested.
The difficulty with combating a threat like Trickbot is over time, even small but constant changes can morph it into something entirely unrecognizable. In this case, a security researcher analyzing the banking Trojan as it appeared in 2016 might not be able to accurately correlate it with the present-day iteration of Trickbot unless they already had prior knowledge of it — and also knew what to look for when it comes to indicators.