Trickbot now uses Microsoft Excel to steal passwords and web browser data

The banking trojan has pivoted from stealing victims’ financial details to credentials and web history

The Microsoft Excel app on a mobile phone with headphones plugged in

The Trickbot malware, which has conventionally sought banking details, is now using a Microsoft Excel file ridden with malicious code to steal user credentials from web browsers.

Its new module dubbed pwgrab32 is attempting to steal autofill data, web history as well as usernames and passwords from browsers and several applications through a malicious Microsoft Excel file, researchers claim.

The attackers are spreading a file (named Sep_report.xls) via malicious code written in the Macro VBS programming language, executed when victims open the document. When Sep_report is opened users are then prompted to "enable content" on the embedded Macro, which activates and runs the malicious script.

After the malware downloads and runs the pwgrab32 module, it launches three threads to grab credentials from Internet Explorer, Firefox and Chrome, said a Fortinet security researcher Xiaopeng Zhang. In Zhang's version, a fourth thread for Edge was present but disabled.

Advertisement - Article continues below

Pwgrab32 then executes functions to steal autofill information from the web browser, credit card information, as well as credentials such as email address, country, company, street address, full name and phone number.

It steals stored usernames and passwords, internet cookies, browsing history, and HTTP posts. It is not capable of stealing passwords from third-party password manager applications such as Dashlane or LastPass, however, according to Trend Micro's security researchers Noel Anthony Llimos and Carl Maverick Pascual, who also analysed Trickbot.

Once the malware has completed this process, it moves on to harvest passwords from mail client Outlook, as well as File Transfer Protocol apps FileZilla and WinSCP.

The malware's new functionality came to researchers' attention last month, with Fortinet's Zhang capturing his sample on 19 October.

"Malware authors continue to cash in on Trickbot's modular structure - its ability to continually update itself by downloading new modules from a C&C server and change its configuration make for a malware that's ripe for updating," said Trend Micro's Noel Anthony Llimos and Carl Maverick Pascual.

"Users and enterprises can benefit from protection that use a multi-layered approach to mitigate the risks brought by threats like banking trojans."

Conventionally targeting victims' financial details, Trickbot has been alive and active since 2016 and is believed to be the reincarnation of the 'Dyre' attacks earlier this decade.

The modular nature of the malware means the attackers behind it have been able to expand into several areas beyond its original narrow focus as a banking trojan.

Other notable modules it has developed in the last couple of years include systeminfo32, which gathers data on a victim's OS, CPU and memory information, and networkDll32, an encrypted module which scans a network and steals network information.

Trickbot has even pivoted to Bitcoin wallet theft in recent months, with a Trickbot variant spotted last year that targets the Coinbase cryptocurrency exchange platform to steal user credentials, and funds.

Featured Resources

The IT Pro guide to Windows 10 migration

Everything you need to know for a successful transition

Download now

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

Download now

Software-defined storage for dummies

Control storage costs, eliminate storage bottlenecks and solve storage management challenges

Download now

6 best practices for escaping ransomware

A complete guide to tackling ransomware attacks

Download now



What is a Trojan?

14 Aug 2019

Hackers abuse LinkedIn DMs to plant malware

25 Feb 2019

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Best antivirus for Windows 10

3 Sep 2019

Most Popular

Microsoft Azure

Microsoft, not Amazon, is going to win the cloud wars

30 Nov 2019
identity and access management (IAM)

44 million Microsoft customers found using compromised passwords

6 Dec 2019
Mobile Phones

Pablo Escobar's brother launches budget foldable phone

4 Dec 2019
wifi & hotspots

Industrial Wi-Fi 6 trial reveals blistering speeds

5 Dec 2019