VPN accounts targeted by new malware

News
By published

Trickbot malware update targets OpenVPN

Käyttäjä yhdistää VPN-palvelimeen
Image credit: Shutterstock (Image credit: Shutterstock)

Researchers have warned VPN users to check their security protection after a new malware targeting accounts was detected.

Trickbot is a modular malware which was first observed in 2016 and it steals system information, login credentials and other sensitive data from vulnerable Windows machines.

However, in November, security researchers from Palo Alto Networks began to see indicators that Trickbots' password grabber module had begun to target data from OpenSSH and OpenVPN applications.

When a Windows host is infected with Trickbot, it downloads different modules to perform various functions. The modules themselves are stored as encrypted binaries in a folder located in the infected system's AppData\Roaming directory and they are then decoded as DLL files that run from system memory.

Pwgrab64 is a password grabber used by Trickbot and this module retrieves login credentials stored in a victim's browser cache but it can also obtain login credentials from other applications installed on a victim's host.

Targeting OpenSSH and OpenVPN

Traffic patterns from recent Trickbot infections were fairly consistent until November when Palo Alto Networks started seeing two new HTTP POST requests for OpenSSH private keys and OpenVPN passwords and configs caused by the malware's password grabber.

Thankfully these updates to Trickbot's password grabber module may not be fully functional yet as the researchers did not see any actual data from OpenVPN contained in the traffic coming from the malware. They also set up Trickbot infections in lab environments where HTTP POST requests generated by the password grabber for OpenSSH and OpenVPN contained no data.

However, Trickbot's password grabber does indeed work and will still obtain SSH passwords and private keys from an SSH/Telnet client named PuTTY.

The updated traffic patterns discovered by Palo Alto Networks show that Trickbot continues to evolve but users can avoid falling victim to this malware by running fully-patched and up-to-date versions of Microsoft Windows.

  • Also check out our complete list of the best VPN services
TOPICS
Anthony Spadafora
Anthony Spadafora

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home. 

Latest in VPN
Shape of Russia filled with Russian flag-colored internet codes on a black hacking background
A new wave of blocks in Russia targets VPN apps and Cloudflare subnets
A hand holds a smartphone displaying the NordVPN logo
NordVPN Prime hits lowest-ever price in VPN Spring sale
Digital hand set location on map with two pins. AI technology in GPs, innovation delivery, map location, future transport logistic, route path concept. GPs point. New office location, change address
What does your IP address reveal about you?
ExpressVPN mobile app and Aircove
ExpressVPN ‘reduces workforce’ for the second time in two years
A stethoscope next to a laptop on a pink background
How to check if your VPN is working
Teenager playing on a gaming PC with two monitors
Is using a VPN while gaming cheating? 5 myths you shouldn't believe about gaming with a VPN
Latest in News
Zendesk Relate 2025
Zendesk Relate 2025 - everything you need to know as the event unfolds
Disney Plus logo with popcorn
You can finally tell Disney+ to stop bugging you about that terrible Marvel show you regret starting
Google Gemini AI
Gemini can now see your screen and judge your tabs
Girl wearing Meta Quest 3 headset interacting with a jungle playset
Latest Meta Quest 3 software beta teases a major design overhaul and VR screen sharing – and I need these updates now
Philips Hue
Philips Hue might be working on a video doorbell, and according to a new report, we just got our first look at it
Microsoft
"Another pair of eyes" - Microsoft launches all-new Security Copilot Agents to give security teams the upper hand
More about vpn
Shape of Russia filled with Russian flag-colored internet codes on a black hacking background

A new wave of blocks in Russia targets VPN apps and Cloudflare subnets
Digital hand set location on map with two pins. AI technology in GPs, innovation delivery, map location, future transport logistic, route path concept. GPs point. New office location, change address

What does your IP address reveal about you?
AMD Ryzen 9950X

I analyzed 25 AMD Zen 4 and Zen 5 CPUs and the Ryzen 9 9900X is the best of them all right now: Here’s why
See more latest
Most Popular
AMD Ryzen 9950X
I analyzed 25 AMD Zen 4 and Zen 5 CPUs and the Ryzen 9 9900X is the best of them all right now: Here’s why
Ugreen \00d7 Genshin Impact Kinich Collectible Gift Box and exclusive Genshin Impact merchandise.
Ugreen reveals exclusive Genshin Impact collection and they're some of the most eye-catching charging products I've ever used
Zendesk Relate 2025
Zendesk Relate 2025 - everything you need to know as the event unfolds
Google Gemini AI
Gemini can now see your screen and judge your tabs
iFi iDSD Valkyrie in gold, on a beige desk
iFi's iDSD Valkyrie DAC wants to guide your music to the great hall of Valhalla
The Samsung Galaxy S25 Edge on display the January 22, 2025 Galaxy Unpacked event.
A fresh Samsung Galaxy S25 Edge leak hints at a 2K display and a titanium frame
Philips Hue
Philips Hue might be working on a video doorbell, and according to a new report, we just got our first look at it
SDUNITED AX835-025FF mini PC
This mini PC with the incredible Strix Halo APU is yet another sign AMD may have given up on big brands for bleeding edge tech
Disney Plus logo with popcorn
You can finally tell Disney+ to stop bugging you about that terrible Marvel show you regret starting
Girl wearing Meta Quest 3 headset interacting with a jungle playset
Latest Meta Quest 3 software beta teases a major design overhaul and VR screen sharing – and I need these updates now