IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Trickbot now uses Microsoft Excel to steal passwords and web browser data

The banking trojan has pivoted from stealing victims’ financial details to credentials and web history

The Microsoft Excel app on a mobile phone with headphones plugged in

The Trickbot malware, which has conventionally sought banking details, is now using a Microsoft Excel file ridden with malicious code to steal user credentials from web browsers.

Its new module dubbed pwgrab32 is attempting to steal autofill data, web history as well as usernames and passwords from browsers and several applications through a malicious Microsoft Excel file, researchers claim.

The attackers are spreading a file (named Sep_report.xls) via malicious code written in the Macro VBS programming language, executed when victims open the document. When Sep_report is opened users are then prompted to "enable content" on the embedded Macro, which activates and runs the malicious script.

After the malware downloads and runs the pwgrab32 module, it launches three threads to grab credentials from Internet Explorer, Firefox and Chrome, said a Fortinet security researcher Xiaopeng Zhang. In Zhang's version, a fourth thread for Edge was present but disabled.

Pwgrab32 then executes functions to steal autofill information from the web browser, credit card information, as well as credentials such as email address, country, company, street address, full name and phone number.

It steals stored usernames and passwords, internet cookies, browsing history, and HTTP posts. It is not capable of stealing passwords from third-party password manager applications such as Dashlane or LastPass, however, according to Trend Micro's security researchers Noel Anthony Llimos and Carl Maverick Pascual, who also analysed Trickbot.

Once the malware has completed this process, it moves on to harvest passwords from mail client Outlook, as well as File Transfer Protocol apps FileZilla and WinSCP.

The malware's new functionality came to researchers' attention last month, with Fortinet's Zhang capturing his sample on 19 October.

"Malware authors continue to cash in on Trickbot's modular structure - its ability to continually update itself by downloading new modules from a C&C server and change its configuration make for a malware that's ripe for updating," said Trend Micro's Noel Anthony Llimos and Carl Maverick Pascual.

"Users and enterprises can benefit from protection that use a multi-layered approach to mitigate the risks brought by threats like banking trojans."

Conventionally targeting victims' financial details, Trickbot has been alive and active since 2016 and is believed to be the reincarnation of the 'Dyre' attacks earlier this decade.

The modular nature of the malware means the attackers behind it have been able to expand into several areas beyond its original narrow focus as a banking trojan.

Other notable modules it has developed in the last couple of years include systeminfo32, which gathers data on a victim's OS, CPU and memory information, and networkDll32, an encrypted module which scans a network and steals network information.

Trickbot has even pivoted to Bitcoin wallet theft in recent months, with a Trickbot variant spotted last year that targets the Coinbase cryptocurrency exchange platform to steal user credentials, and funds.

Featured Resources

Accelerating AI modernisation with data infrastructure

Generate business value from your AI initiatives

Free Download

Recommendations for managing AI risks

Integrate your external AI tool findings into your broader security programs

Free Download

Modernise your legacy databases in the cloud

An introduction to cloud databases

Free Download

Powering through to innovation

IT agility drive digital transformation

Free Download

Recommended

Hackers could use new Wslink malware in highly targeted cyber attacks
malware

Hackers could use new Wslink malware in highly targeted cyber attacks

1 Nov 2021
FBI raids Chinese POS business following cyber attack claims
malware

FBI raids Chinese POS business following cyber attack claims

27 Oct 2021
Malware developers create malformed code signatures to avoid detection
malware

Malware developers create malformed code signatures to avoid detection

24 Sep 2021
What is a Trojan?
Security

What is a Trojan?

27 Aug 2021

Most Popular

Former Uber security chief to face fraud charges over hack coverup
data breaches

Former Uber security chief to face fraud charges over hack coverup

29 Jun 2022
Macmillan Publishers hit by apparent cyber attack as systems are forced offline
Security

Macmillan Publishers hit by apparent cyber attack as systems are forced offline

30 Jun 2022
FCC commissioner urges Apple and Google to remove TikTok from app stores
data protection

FCC commissioner urges Apple and Google to remove TikTok from app stores

29 Jun 2022