Security experts warn that hardly after the TrickBot trojan was found to have worm-like spreading capabilities, the virus has expanded its target list to browser data and Outlook.
Despite being active for less than a year, the creators of TrickBot have been constantly adding new capabilities to it. This year, the Dyre gang expanded the malware attack surface to payment processors, private banking, and CRM providers.
According to the independent researcher Hasherezade, the virus creators have added some new modules to the TrickBot trojan, as well as more developers to their team.
For instance, unlike most of the components which are written in C++, the newly observed Outlook.dll module is written in Delphi.
According to Hasherezade, the current run includes 5 modules: SystemInfo.dll and loader.dll (injectDll32), that have been observed in TrickBot since its appearence, and mailsearcher.dll, added in December, last year. While the other two modules, called module.dll and Outlook.dll., haven’t been noticed before.
Hasherezade claims that module.dll/importDll32 is written in C++ and compiled with Qt5 and OpenSSL, incorporating SQLite. Most probably, the compilation timestamp was written in May, this year.
This module is bulky and it was created to steal data from the browsers, including Browsing History, Cookies, HTML5 Local Storage, Flash LSO (Local Shared Objects), and URL hits, as well as some other info.
“In contrary to loader.dll/injectDll, which is modular and stores all the scripts and targets in dedicated configuration files, module.dll/importDll32 comes with all the data hardcoded. For example, we can find inside the binary a very long list of targets – websites from countries all around the world – France, Italy, Japan, Poland, Norway, Peru and more,” Hasherezade explains.
What the module actually does, is creating a hidden desktop and using it as a workspace to open and fingerprint browsers in such a way that the user has no clue about the malicious activity.
As the Outlook.dll module is written in Delphi, it contains a hardcoded configuration which follows a typical pattern for the TrickBot modules. The latest module opens relevant registry keys and attempts to retrieve saved credentials in order to steal Microsoft Outlook saved data.
“TrickBot’s new modules are not written very well and they are probably still under development. The overall quality of the design is much lower than the quality of the earlier code. For example, module.dll is bulky and does not follow the clean modular structure introduced by TrickBot before. Also, they make use of languages and libraries that are easier – Qt instead of native sockets for module.dll, Delphi language for Outlook.dll,” Hasherezade states.
Based on their latest findings, the researchers think that the TrickBot creators were working on implementing a worm module to abuse the Server Message Block (SMB) protocol to spread locally, however, the logic to randomly scan external IPs for SMB connections wasn’t ready yet.
According to Hasherezade, “TrickBot is still actively maintained and it is not going to leave the landscape any soon.”