{
	"id": "d5294d98-504c-449e-8372-912a56d44aae",
	"created_at": "2026-04-06T00:19:10.304478Z",
	"updated_at": "2026-04-10T13:11:43.201147Z",
	"deleted_at": null,
	"sha1_hash": "8d96c13c1dee01d67048dcbb54588afdf0d21874",
	"title": "Trickbot Adds Credential-Grabbing Capabilities",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 81079,
	"plain_text": "Trickbot Adds Credential-Grabbing Capabilities\r\nPublished: 2019-02-12 · Archived: 2026-04-05 20:18:35 UTC\r\nIn November 2018, we covered a Trickbot variant that came with a password-grabbing module, which allowed it\r\nto steal credentials from numerous applications. In January 2019, we saw Trickbot (detected as\r\nTrojanSpy.Win32.TRICKBOT.AZ and Trojan.Win32.MERETAM.AD) with new capabilities added to its already\r\nextensive bag of tricks. Its authors clearly aren't done updating Trickbot — we recently found a new variant that\r\nuses an updated version of the pwgrab module that lets it grab remote application credentials.\r\nInfection Chain\r\nintelFigure 1. Infection chain for the malware\r\nTechnical Analysis\r\nThe malware arrives via an email disguised as a tax incentive notification from a major financial services\r\ncompany. This email includes a macro enabled (XLSM) Microsoft Excel spreadsheet attachment (detected as\r\nTrojan.W97M.MERETAM.A) that purportedly contains the details of the tax incentive. However, as these\r\nattachments usually go, this macro is malicious and will download and deploy Trickbot on the user’s machine\r\nonce activated.\r\nintel\r\nFigure 2. The spam email containing the malicious macro-enabled attachment.\r\nintel\r\nFigure 3. Screenshot of the attached spreadsheet document\r\nThis Trickbot variant is largely similar to the variant we discovered in November. However, the 2019 version adds\r\nthree new functions, one each for the Virtual Network Computing (VNC), PuTTY, and Remote Desktop Protocol\r\n(RDP) platforms.\r\nintel\r\nFigure 4. Comparison of the pwgrab modules from November 2018 (top) and January 2019 (bottom). Note the\r\nadded functions in the code.\r\nintel\r\nFigure 5. C\u0026C traffic with the RDP credentials being sent.\r\nOne of the techniques enforced by these new functions encrypts the strings it uses via simple variants of XOR or\r\nSUB routines.\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/trickbot-adds-remote-application-credential-grabbing-capabilities-to-its-repertoire/\r\nPage 1 of 3\n\nintel\r\nFigure 6. XOR routine (top) and SUB routine (bottom) string encryption.\r\nIt also makes use of API hashes for indirect API calling, which was prominently attributed to the Carberp trojan\r\nsource code leak from 2013.  \r\nintel\r\nFigure 7. API hashing artifact from the Carberp Source Code.\r\nVNC\r\nTo grab VNC credentials, the pwgrab module searches for files using the “*.vnc.lnk” affix that are located in the\r\nfollowing directories:\r\n%APPDATA%\\Microsoft\\Windows\\Recent\r\n%USERPROFILE%\\Documents, %USERPROFILE%\\Downloads\r\n \r\nThe stolen information includes the target machine's hostname, port, and the proxy settings.\r\nintel\r\nFigure 8. Screenshot of how pwgrab locates “.vnc.lnk” files on the %USERPROFILE%\\Downloads directory.\r\nThe module will send the required data via POST, which is configured through a downloaded configuration file\r\nusing the filename “dpost.” This file contains a list of command-and-control (C\u0026C) servers that will receive the\r\nexfiltrated data from the victim.\r\nintel\r\nFigure 9. Stolen Information being exfiltrated to the C\u0026C server.\r\nPuTTY\r\nTo retrieve the PuTTY credentials, it queries the registry key Software\\SimonTatham\\Putty\\Sessions to identify the\r\nsaved connection settings, which allows the module to retrieve information such as the Hostname and Username,\r\nand Private Key Files used for authentication.\r\nintel\r\nFigure 10. Registry traversal for Putty data exfiltration (left), code showing hostname, username and Private Key\r\nFiles (right).\r\nRDP\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/trickbot-adds-remote-application-credential-grabbing-capabilities-to-its-repertoire/\r\nPage 2 of 3\n\nIts third function related to RDP uses the CredEnumerateA API to identify and steal saved credentials. It then\r\nparses the string “target=TERMSRV” to identify the hostname, username, and password saved per RDP\r\ncredential.\r\nRecommendations\r\nThese new additions to the already “tricky” Trickbot show one strategy that many authors use to improve the\r\ncapabilities of their creations: gradual evolution of existing malware. While this new variant is not groundbreaking\r\nin terms of what it can do, it proves that the groups or individuals behind Trickbot are not resting on their laurels\r\nand continuously improve it, making an already-dangerous malware even more effective.\r\nFortunately, users can nip these attacks in the bud simply by following the best practicesnews- cybercrime-and-digital-threats against spam. This includes being aware of the main characteristics of a spam email, such as a\r\nsuspicious sender address and multiple grammatical errors. We also recommended that users refrain from opening\r\nemail attachments unless they are sure that it is from a legitimate source.\r\nTrend Micro solutions\r\nThe following Trend Micro solutions, powered by XGen™ securityproducts, protect systems from all types of\r\nthreats, including malware such as Trickbot:\r\nTrend Micro™ Securityproducts\r\nSmart Protection Suitesproducts and Worry-Free™ Business Security\r\nTrend Micro Network Defenseproducts\r\n \r\nIndicators of Compromise (IOCs)\r\nTrickbot (Detected as TrojanSpy.Win32.TRICKBOT.AZ)\r\n374ef83de2b254c4970b830bb93a1dd79955945d24b824a0b35636e14355fe05\r\nTrickbot (Detected as Trojan.Win32.MERETAM.AD)\r\nFcfb911e57e71174a31eae79433f12c73f72b7e6d088f2f35125cfdf10d2e1af\r\nSource: https://blog.trendmicro.com/trendlabs-security-intelligence/trickbot-adds-remote-application-credential-grabbing-capabilities-to-its-rep\r\nertoire/\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/trickbot-adds-remote-application-credential-grabbing-capabilities-to-its-repertoire/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"MITRE",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.trendmicro.com/trendlabs-security-intelligence/trickbot-adds-remote-application-credential-grabbing-capabilities-to-its-repertoire/"
	],
	"report_names": [
		"trickbot-adds-remote-application-credential-grabbing-capabilities-to-its-repertoire"
	],
	"threat_actors": [],
	"ts_created_at": 1775434750,
	"ts_updated_at": 1775826703,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/8d96c13c1dee01d67048dcbb54588afdf0d21874.pdf",
		"text": "https://archive.orkl.eu/8d96c13c1dee01d67048dcbb54588afdf0d21874.txt",
		"img": "https://archive.orkl.eu/8d96c13c1dee01d67048dcbb54588afdf0d21874.jpg"
	}
}