Trickbot now uses Microsoft Excel to steal passwords and web browser data

The Microsoft Excel app on a mobile phone with headphones plugged in

The Trickbot malware, which has conventionally sought banking details, is now using a Microsoft Excel file ridden with malicious code to steal user credentials from web browsers.

Its new module dubbed pwgrab32 is attempting to steal autofill data, web history as well as usernames and passwords from browsers and several applications through a malicious Microsoft Excel file, researchers claim.

The attackers are spreading a file (named Sep_report.xls) via malicious code written in the Macro VBS programming language, executed when victims open the document. When Sep_report is opened users are then prompted to "enable content" on the embedded Macro, which activates and runs the malicious script.

After the malware downloads and runs the pwgrab32 module, it launches three threads to grab credentials from Internet Explorer, Firefox and Chrome, said a Fortinet security researcher Xiaopeng Zhang. In Zhang's version, a fourth thread for Edge was present but disabled.

Pwgrab32 then executes functions to steal autofill information from the web browser, credit card information, as well as credentials such as email address, country, company, street address, full name and phone number.

It steals stored usernames and passwords, internet cookies, browsing history, and HTTP posts. It is not capable of stealing passwords from third-party password manager applications such as Dashlane or LastPass, however, according to Trend Micro's security researchers Noel Anthony Llimos and Carl Maverick Pascual, who also analysed Trickbot.

Once the malware has completed this process, it moves on to harvest passwords from mail client Outlook, as well as File Transfer Protocol apps FileZilla and WinSCP.

The malware's new functionality came to researchers' attention last month, with Fortinet's Zhang capturing his sample on 19 October.

"Malware authors continue to cash in on Trickbot's modular structure - its ability to continually update itself by downloading new modules from a C&C server and change its configuration make for a malware that's ripe for updating," said Trend Micro's Noel Anthony Llimos and Carl Maverick Pascual.

"Users and enterprises can benefit from protection that use a multi-layered approach to mitigate the risks brought by threats like banking trojans."

Conventionally targeting victims' financial details, Trickbot has been alive and active since 2016 and is believed to be the reincarnation of the 'Dyre' attacks earlier this decade.

The modular nature of the malware means the attackers behind it have been able to expand into several areas beyond its original narrow focus as a banking trojan.

Other notable modules it has developed in the last couple of years include systeminfo32, which gathers data on a victim's OS, CPU and memory information, and networkDll32, an encrypted module which scans a network and steals network information.

Trickbot has even pivoted to Bitcoin wallet theft in recent months, with a Trickbot variant spotted last year that targets the Coinbase cryptocurrency exchange platform to steal user credentials, and funds.

Keumars Afifi-Sabet
Contributor

Keumars Afifi-Sabet is a writer and editor that specialises in public sector, cyber security, and cloud computing. He first joined ITPro as a staff writer in April 2018 and eventually became its Features Editor. Although a regular contributor to other tech sites in the past, these days you will find Keumars on LiveScience, where he runs its Technology section.