Trickbot now uses Microsoft Excel to steal passwords and web browser data

The banking trojan has pivoted from stealing victims’ financial details to credentials and web history

The Microsoft Excel app on a mobile phone with headphones plugged in

The Trickbot malware, which has conventionally sought banking details, is now using a Microsoft Excel file ridden with malicious code to steal user credentials from web browsers.

Its new module dubbed pwgrab32 is attempting to steal autofill data, web history as well as usernames and passwords from browsers and several applications through a malicious Microsoft Excel file, researchers claim.

The attackers are spreading a file (named Sep_report.xls) via malicious code written in the Macro VBS programming language, executed when victims open the document. When Sep_report is opened users are then prompted to "enable content" on the embedded Macro, which activates and runs the malicious script.

After the malware downloads and runs the pwgrab32 module, it launches three threads to grab credentials from Internet Explorer, Firefox and Chrome, said a Fortinet security researcher Xiaopeng Zhang. In Zhang's version, a fourth thread for Edge was present but disabled.

Pwgrab32 then executes functions to steal autofill information from the web browser, credit card information, as well as credentials such as email address, country, company, street address, full name and phone number.

It steals stored usernames and passwords, internet cookies, browsing history, and HTTP posts. It is not capable of stealing passwords from third-party password manager applications such as Dashlane or LastPass, however, according to Trend Micro's security researchers Noel Anthony Llimos and Carl Maverick Pascual, who also analysed Trickbot.

Once the malware has completed this process, it moves on to harvest passwords from mail client Outlook, as well as File Transfer Protocol apps FileZilla and WinSCP.

The malware's new functionality came to researchers' attention last month, with Fortinet's Zhang capturing his sample on 19 October.

"Malware authors continue to cash in on Trickbot's modular structure - its ability to continually update itself by downloading new modules from a C&C server and change its configuration make for a malware that's ripe for updating," said Trend Micro's Noel Anthony Llimos and Carl Maverick Pascual.

"Users and enterprises can benefit from protection that use a multi-layered approach to mitigate the risks brought by threats like banking trojans."

Conventionally targeting victims' financial details, Trickbot has been alive and active since 2016 and is believed to be the reincarnation of the 'Dyre' attacks earlier this decade.

The modular nature of the malware means the attackers behind it have been able to expand into several areas beyond its original narrow focus as a banking trojan.

Other notable modules it has developed in the last couple of years include systeminfo32, which gathers data on a victim's OS, CPU and memory information, and networkDll32, an encrypted module which scans a network and steals network information.

Trickbot has even pivoted to Bitcoin wallet theft in recent months, with a Trickbot variant spotted last year that targets the Coinbase cryptocurrency exchange platform to steal user credentials, and funds.

Featured Resources

Consumer choice and the payment experience

A software provider's guide to getting, growing, and keeping customers

Download now

Prevent fraud and phishing attacks with DMARC

How to use domain-based message authentication, reporting, and conformance for email security

Download now

Business in the new economy landscape

How we coped with 2020 and looking ahead to a brighter 2021

Download now

How to increase cyber resilience within your organisation

Cyber resilience for dummies

Download now

Recommended

Nigerian cyber criminals target Texas unemployment system
cyber security

Nigerian cyber criminals target Texas unemployment system

27 May 2021
Hackers use open source Microsoft dev platform to deliver trojans
Security

Hackers use open source Microsoft dev platform to deliver trojans

14 May 2021
Cyber attacks on manufacturing up 300% in a year
Security

Cyber attacks on manufacturing up 300% in a year

11 May 2021
HackBoss malware is using Telegram to steal cryptocurrency from other hackers
cryptocurrencies

HackBoss malware is using Telegram to steal cryptocurrency from other hackers

16 Apr 2021

Most Popular

How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

16 Jun 2021
What is HTTP error 400 and how do you fix it?
Network & Internet

What is HTTP error 400 and how do you fix it?

16 Jun 2021
EU plans to launch bloc-wide cyber task force
cyber attacks

EU plans to launch bloc-wide cyber task force

22 Jun 2021