TrickBot Goes After SSH Keys
TrickBot has modified its password grabber to target data from OpenSSH and OpenVPN applications. OpenSSH is a tool for remote login with the SSH protocol. It encrypts all traffic to eliminate eavesdropping. OpenVPN is used to secure private networks. TrickBot targets Windows hosts and then downloads various modules to steal information. Pwgrab64, retrieves login credentials stored in a victim’s browser cache, and from any installed applications.
The password grabber and some other TrickBot modules send stolen data using unencrypted HTTP over TCP port 8082 to an IP address used by TrickBot The URL in the HTTP POST request ends with the number 81. This number is used in URLs generated by TrickBot's password-grabber module.
Hackers know that SSH keys can provide complete control over devices, and the latest TrickBot malware is very good at stealing these sensitive credentials. SSH keys need to be rotated frequently, and the only way to do this effectively is with automation, but many organizations, including banks, never change them. Even worse, many SSH keys never expire so they can be used to create long term backdoors that allow hackers to gain access to networks.
Since 2016, TrickBot has continued to evolve in both tactics and targeting. In 2019, the malware changed its technique to go after remote desktop application credentials and target firms using tax themed phishing. And in August it was targeting users of U.S. mobile carriers Verizon, T-Mobile and Sprint via web injects, in order to steal their PIN codes.