Posted on November 29, 2019 at 3:44 PM
Researchers have detected a new malware that targets VPN accounts.VPN users have been warned of this malware that wants to hijack their VPN accounts. The malware, Trickbolt, was first detected in 2016. It steals login credentials, system information, and other very important data from window machines that are vulnerable.
But this month, some researchers discovered the malware’s new dimension of operation. Palo Alto Networks started monitoring the malware and detected that Trickbot has stared targeting data from OpenVPN and openSSH application.
When Trickbot hijacks a windows host, it performs various functions by downloading different modules from the host windows. However, the malware stores the modules in the AppData/Roaming directory folder as encrypted binaries. Later they are run from the system memory and decoded as DLL files.
Targeting OpenVPN and OpenSSH
Last month, researchers at Palo Alto Networks were monitoring the activities of Trickbot when they noticed some irregular activities of the malware. They noticed that it had shifted its attention from the usual theft of login passwords to theft of data from OpenSSL and OpenVPN applications. The security experts began paying full attention and discovered more irregularities from the malware.
The research team decided to run a compromised 64-bit Windows 7 device. They found that the Trickbot malware uses a password grabber known as pwgrab64. It is used to gain sensitive login details stored in the host system’s cache files. It’s also able to gain information through other applications apart from the cache files.
The pwgrab64 password grabber is not a new module. The researchers have seen its activities on some infected systems and devices since last year.
However, its operational methods have changed because it was formerly focused on stealing passwords from apps and web browsers. Now, its targeting VPN accounts, as it could cause more damaging impacts on the accounts.
Trickbot upgraded for more severe attacks
Earlier in February this year, the pwgrab64 was redirected to focus on information and credentials used to authenticate servers that use RDP, PuTTy, and VNC. Now it has been redirected and updated again.
The researchers are keeping full watch on the frequent update of the password grabber to detect any other change in its operation. The researchers are alerting VPN owners to be aware of this new update and the operational module of the malware.
This time, it’s using an HTTP POST request to send stolen OpenVPN passwords and OpenSSL private keys back to the malware’s command and control servers. On a simpler note, the malware has been reprogrammed to steal login details of VPN users.
Palo Alto Researchers says there’s nothing to worry about yet
For those who are worried about losing their sensitive VPN details, the researchers have given some level of assurance. According to the Palo Alto Security watch, Trickbot is not retrieving actual details from the host files yet.
They believe those who are sending out this malware are yet to launch them because they could still be test-running the malware. But the researchers say it is still targeting the files and other information it was targeting before the recent update.
The malware has an expansive reach and is capable of crippling almost all the information available in any VPN. It’s a very robust malware that could do a lot of harm when the hackers eventually let it loose. The malware can target everything from browser cookies, Spring PIN codes, and T-Mobile to Verizon.
So, it’s important to be aware and alert on the activities of this malware, according to the researchers. VPN owners should be alert because the hackers behind the malware could set it loose anytime they have concluded their testing.