This infamous malware accidentally tattles on its own creators

News
By published

TrickBot malware mistakenly alerts victims to malicious activity

(Image credit: Shutterstock / Magura)

Developers of the infamous TrickBot banking trojan have accidentally coded in a feature that alerts infected users to its presence on their device.

Traditionally, TrickBot malware is distributed via phishing campaigns and operates stealthily on an infected machine, scraping credentials, stealing from cryptocurrency wallets and opening the door to secondary attacks.

It was also recently found to contain a mechanism that checks the victim’s screen resolution to determine whether it is running in a virtual machine, allowing operators to hinder the attempts of researchers to analyze the malware.

However, according to security researcher Vitali Kremez of Advanced Intel, the TrickBot creators are accidentally circulating a version that serves a warning message to users whose credentials have been stolen, thereby alerting them to the infection.

TrickBot malware

Kremez believes TrickBot’s “grabber” module is responsible for the alert, designed to scrape saved passwords and cookies from popular web browsers, including Chrome, Firefox, Internet Explorer and Edge.

When working as intended, the module allows TrickBot to stealthily lift login credentials and gain access to the victim’s online accounts - including social media, email, online retailers etc. - but in this instance accidentally reports the malicious activity to the victim.

“Warning - you see this message because the program named grabber gathered some information from your browser,” reads the pop-up alert.

“If you do not know what is happening it is the time to start be worrying (sic). Please, ask your system administrator for details.” 

According to Kremez, the module is “coded in the same fashion” as the wider TrickBot malware, suggesting the same developers are responsible. The only explanation for this eccentricity, he claims, is that the creators forgot to remove the self-reporting functionality when a new test build went live.

Users served the error message are advised to disconnect from the internet and scan their machine using antivirus software. Once any malware has been removed, users should change all passwords for accounts logged into via the affected browser.

Via Bleeping Computer

TOPICS
Joel Khalili
Joel Khalili
News and Features Editor

Joel Khalili is the News and Features Editor at TechRadar Pro, covering cybersecurity, data privacy, cloud, AI, blockchain, internet infrastructure, 5G, data storage and computing. He's responsible for curating our news content, as well as commissioning and producing features on the technologies that are transforming the way the world does business.

Latest in Security
Isometric demonstrating multi-factor authentication using a mobile device.
NCSC gets influencers to sing the praises of 2FA
Sam Altman and OpenAI
OpenAI is upping its bug bounty rewards as security worries rise
A stylized depiction of a padlocked WiFi symbol sitting in the centre of an interlocking vault.
Dangerous new CoffeeLoader malware executes on your GPU to get past security tools
China
Notorious Chinese hackers FamousSparrow allegedly target US financial firms
A digital representation of a lock
NYU website defaced as hacker leaks info on a million students
NHS
NHS IT supplier hit with major fine following ransomware attack
Latest in News
Nintendo Switch 2 Joy-Con up-close from app store
Nintendo's new app gave us another look at the Switch 2, and there's something different with the Joy-Con
cheap Nintendo Switch game deals sales
Nintendo didn't anticipate that Mario Kart 8 Deluxe was 'going to be the juggernaut' for the Nintendo Switch when it was ported to the console, according to former employees
Three angles of the Apple MacBook Air 15-inch M4 laptop above a desk
Apple MacBook Air 15-inch (M4) review roundup – should you buy Apple's new lightweight laptop?
Witchbrook
Witchbrook, the life-sim I've been waiting years for, finally has a release window and it's sooner than you think
Amazon Echo Smart Speaker
Amazon is experimenting with renaming Echo speakers to Alexa speakers, and it's about time
Shigeru Miyamoto presents Nintendo Today app
Nintendo Today smartphone app is out now on iOS and Android devices – and here's what it does
More about security
Sam Altman and OpenAI

OpenAI is upping its bug bounty rewards as security worries rise
A stylized depiction of a padlocked WiFi symbol sitting in the centre of an interlocking vault.

Dangerous new CoffeeLoader malware executes on your GPU to get past security tools
Nintendo Switch 2 Joy-Con up-close from app store

Nintendo's new app gave us another look at the Switch 2, and there's something different with the Joy-Con
See more latest
Most Popular
Nintendo Switch 2 Joy-Con up-close from app store
Nintendo's new app gave us another look at the Switch 2, and there's something different with the Joy-Con
HP ZBook Ultra G1a
HP's ridiculously fast Ryzen AI Max+ Pro 395 laptop with 128GB RAM goes on sale everywhere in the US, but it won't be cheap
A mobile phone showing the Signal logo in front of a screen showing the app
Signalgate explained: what is Signal, and how secure is the messaging app?
Asus Ascent GX10 Rear
Asus's more affordable version of Nvidia's uber-popular Project Digits snapped at GTC 2025
iPhone 13 mini
The iPhone mini won't be returning, according to rumors – and you think that's a mistake
Sam Altman and OpenAI
OpenAI is upping its bug bounty rewards as security worries rise
cheap Nintendo Switch game deals sales
Nintendo didn't anticipate that Mario Kart 8 Deluxe was 'going to be the juggernaut' for the Nintendo Switch when it was ported to the console, according to former employees
A stylized depiction of a padlocked WiFi symbol sitting in the centre of an interlocking vault.
Dangerous new CoffeeLoader malware executes on your GPU to get past security tools
Amazon Echo Smart Speaker
Amazon is experimenting with renaming Echo speakers to Alexa speakers, and it's about time
Isometric demonstrating multi-factor authentication using a mobile device.
NCSC gets influencers to sing the praises of 2FA