TrickBot malware creators fail to remove a test module that warns victims that they are infected
Imagine living to see a day when malware tells you that it has infected your system and you should inform the system administrator to remove the infection. This is what is happening with the now infamous TrickBot malware due to a mistake by its creators.
It seems that the infamous TrickBot malware authors have mistakenly left a test module running. This test module warns the victims that they are infected and should contact their administrator. Malware authors often test their malware against security measures implemented by anti-virus companies to avoid detection and stay hidden on the victim’s computer/laptop. It seems that TrickBot malware authors forgot to close one such module which warns the users about infection.
TrickBot is multi-dimensional malware that is commonly distributed via phishing mail. Once the phishing email is opened, the TrickBot quietly installs itself on the victim’s machine while it downloads various modules that perform different tasks on the infected computer. These modules operate independently of each other and perform various nefarious activities like stealing a domain’s Active Directory Services database, harvesting browser passwords, and cookies, stealing OpenSSH keys, and spreading laterally throughout a network. A separate module gives the victim’s computer access to ransomware operators such as Ryuk and Conti.
The TrickBot malware also analyses victim’s system screen resolution. A report by MalwareLab researcher Maciej Kotowicz says that if TrickBot finds lower resolution machines, it does not execute its payload. Kotowicz says this is because TrickBot analyzes the screen resolution on the infected system and refuses to execute malware payload in an isolated environment. In his investigation, Kotowicz mentions that a new sample detected from TrickBot is checking whether the screen resolution of the affected computer is 800×600 or 1024×768, and if it is 800×600, TrickBot does not run.
Although TrickBot began as a banking Trojan, the malware creators have added many modules over the years to make it one of the most dangerous malware variants nowadays. In a recent release of the TrickBot malware analyzed by Advanced Intel’s Vitali Kremez, he found that it was a test version of the malware. One of the modules developed by TrickBot authors is grabber.dll. Grabber.dll steals password and cookies from the victim’s Chrome, Edge, Internet Explorer, and Firefox browsers. These stolen credentials and cookies can then be used to login to the victim’s accounts.
Kremez found that the test version of the malware contained a password-stealing grabber.dll module. When loaded, this module displays a warning in the default browser stating that the program is gathering information and that the victim should inform their system administrator.
Another Reddit user also found the same warning. “Firefox is warning me about a “program named grabber.” What is it and what should I do?,” the Reddit user asked.
If you are infected by TrickBot malware, immediately disconnect your Internet connection and perform a anti-virus scan. Most AVs can detect and quarantine TrickBot malware. Once you have disinfected your PC/laptop, make sure to change all the passwords to any and all websites.