TrickBot Goes After SSH Keys

Walden Systems Geeks Corner News TrickBot Goes After SSH Keys Rutherford NJ New Jersey NYC New York City North Bergen County
Rita gives you full control of what sites your employees visit. Rita can block sites that eat up your precious bandwidth such as media streaming sites. Rita enables you full control of what sites your employees can and cannot visit. Rita gives you the ability to block undesirable sites by wildcard or by name. Rita gives you the ability to determine which computers will be blocked and which will be allowed. With Rita, you can block access to sensitive servers within your LAN.

TrickBot has modified its password grabber to target data from OpenSSH and OpenVPN applications. OpenSSH is a tool for remote login with the SSH protocol. It encrypts all traffic to eliminate eavesdropping. OpenVPN is used to secure private networks. TrickBot targets Windows hosts and then downloads various modules to steal information. Pwgrab64, retrieves login credentials stored in a victim’s browser cache, and from any installed applications.

The password grabber and some other TrickBot modules send stolen data using unencrypted HTTP over TCP port 8082 to an IP address used by TrickBot The URL in the HTTP POST request ends with the number 81. This number is used in URLs generated by TrickBot's password-grabber module.


Hackers know that SSH keys can provide complete control over devices, and the latest TrickBot malware is very good at stealing these sensitive credentials. SSH keys need to be rotated frequently, and the only way to do this effectively is with automation, but many organizations, including banks, never change them. Even worse, many SSH keys never expire so they can be used to create long term backdoors that allow hackers to gain access to networks.

Since 2016, TrickBot has continued to evolve in both tactics and targeting. In 2019, the malware changed its technique to go after remote desktop application credentials and target firms using tax themed phishing. And in August it was targeting users of U.S. mobile carriers Verizon, T-Mobile and Sprint via web injects, in order to steal their PIN codes.