Malware Trickbot now also uses Excel file to steal login codes

Trickbot, the malware that had previously conventionally gone after bank details, now uses a Microsoft Excel file to capture user login codes. The new module is called pwgrab32 and tries to steal autofill data, browsing history and usernames and passwords from browsers and various other apps via a Microsoft Excel file.

The attackers distribute a file called Sep_report.xls. The malware then spreads through the Macro VBS programming language and becomes active as soon as the victim opens the document. When a user opens Sep_report, he must allow the content of the embedded Macro. If the user does so, the macro activates and the malware is active.

How the malware works

After downloading the malware and running the pwgrab32 module, it launches three attempts to steal login credentials from Internet Explorer, Firefox and Chrome. A fourth attempt to steal information from Edge also exists, but is not active at the moment. Among other things, the malware performs the autofill function of the browsers.

This makes it possible to steal e-mail addresses, country, addresses, names and phone numbers. By also downloading usernames, passwords, cookies and browsing history, it allows developers to log on to bank sites. People who use third party password managers, such as Dashlane or LastPass, are safe.

When Trickbot has finished stealing passwords from the browsers, it continues with mailapp Outlook, and apps like FileZilla and WinSCP. The modular structure of Trickbot is often used to continuously update the software. For example, new modules are removed from a C&C server and the configuration of the malware is changed, according to researchers Noel Anthony Llimos and Carl Maverick Pascual of Trend Micro.

According to the researchers, users and companies can benefit from protective measures that use a multi-layered approach to avoid risks that arise from, for example, the banking trojant.