The malware uses one of two methods – credential extraction, or a fake phishing page which looks like the real thing – to gain the user’s login details and get access to the account. Trickbot’s core ability as a banking trojan also remains monitoring users and which banking URLs they access, including those of institutions in the United States, Canada, the UK, Germany, Australia, Austria, Ireland and Switzerland. The additional of this password stealer makes Trickbot and even more powerful too, with the ability to steal credentials from across the web – putting victims at risk of theft and fraud on more than just their bank account.
All of these can be exploited to enable the attacker to make off with additional data – and it works on Google Chrome, Mozilla Firefox, Internet Explorer, and Microsoft Edge browsers. In addition to stealing credentials from applications, Trickbot also steals information from web browsers, including usernames and passwords, internet, cookies, browsing history, autofill and HTTP posts. The password grabber can steal credentials form applications such as Filezilla, Microsoft Outlook, and WinSCP, potentially provide all sorts of information about the infected machine. According to Fortinet, this particular module first emerged in mid-October and as the name suggests, it’s designed to grab password information from the victim’s system. See also: What is malware? Everything you need to know about viruses, trojans and malicious softwareĪfter it has been running for a little time, it downloads a new module – pwgrab32. Like previous versions of the malware, it persistently installs itself into the system’s Task Scheduler so it can be run automatically when the machine is operational. This payload – pointer.exe – is TrickBot itself, which is listed as “”pointe s.exe” once installed.
The execution goes through a number of processes, culminating in PowerShell being executed to download a final payload from a fake Microsoft Office Excel address.
0 kommentar(er)
