VPN accounts targeted by new malware

News
By
published

Trickbot malware update targets OpenVPN

Käyttäjä yhdistää VPN-palvelimeen
Image credit: Shutterstock (Image credit: Shutterstock)

Researchers have warned VPN users to check their security protection after a new malware targeting accounts was detected.

Trickbot is a modular malware which was first observed in 2016 and it steals system information, login credentials and other sensitive data from vulnerable Windows machines.

However, in November, security researchers from Palo Alto Networks began to see indicators that Trickbots' password grabber module had begun to target data from OpenSSH and OpenVPN applications.

When a Windows host is infected with Trickbot, it downloads different modules to perform various functions. The modules themselves are stored as encrypted binaries in a folder located in the infected system's AppData\Roaming directory and they are then decoded as DLL files that run from system memory.

Pwgrab64 is a password grabber used by Trickbot and this module retrieves login credentials stored in a victim's browser cache but it can also obtain login credentials from other applications installed on a victim's host.

Targeting OpenSSH and OpenVPN

Traffic patterns from recent Trickbot infections were fairly consistent until November when Palo Alto Networks started seeing two new HTTP POST requests for OpenSSH private keys and OpenVPN passwords and configs caused by the malware's password grabber.

Thankfully these updates to Trickbot's password grabber module may not be fully functional yet as the researchers did not see any actual data from OpenVPN contained in the traffic coming from the malware. They also set up Trickbot infections in lab environments where HTTP POST requests generated by the password grabber for OpenSSH and OpenVPN contained no data.

However, Trickbot's password grabber does indeed work and will still obtain SSH passwords and private keys from an SSH/Telnet client named PuTTY.

The updated traffic patterns discovered by Palo Alto Networks show that Trickbot continues to evolve but users can avoid falling victim to this malware by running fully-patched and up-to-date versions of Microsoft Windows.

  • Also check out our complete list of the best VPN services
TOPICS
Anthony Spadafora
Anthony Spadafora

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.