TrickBot malware has collected login credentials from 250 million email addresses

TrickBot, the malware discovered in 2016, has collected the passwords and address books of 250 million e-mail addresses. Investigators from security company Deep Instinct have found that, reports TechCrunch.

TrickBot was originally a financially motivated malware that was first spotted in 2016. Since then, it has been given new techniques for infecting computers in order to collect login data from e-mail accounts. In the end, the malware tries to steal money with it.

The security researchers were able to identify the command and control servers of the malware, after which they were given the 250 million cache of e-mail addresses. This concerns not only large quantities of Gmail, Yahoo and Hotmail accounts, but also various e-mail addresses of American ministries and ministries of other governments.

Based on the organisations that have affected it, it is logical that it should spread as widely as possible and collect as many e-mail addresses as possible, says Guy Caspi, CEO of Deep Instinct. If I landed on an endpoint in a U.S. department, I would try to spread as much as possible and collect every address and login details that I encounter.

TrickBooster

If a computer is already infected with TrickBot, it can download the TrickBooster component, which has a signed certificate. TrickBooster sends a list of the victim’s email addresses and address books back to the general server. The malware then sends spam from the victim’s computer. The sent e-mails are removed from the outbox and folder of sent items to prevent detection.

The malware uses a counterfeit certificate to draw the component to prevent it from being detected. Many of the certificates have been issued to legitimate businesses, which do not have to sign a code.

The researchers discovered TrickBooster on 25 June and reported it a week later to the certifying authorities. The certificates have been revoked, making it more difficult to run the malware.