This infamous malware accidentally tattles on its own creators
TrickBot malware mistakenly alerts victims to malicious activity
When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.
Developers of the infamousTrickBot banking trojanhave accidentally coded in a feature that alerts infected users to its presence on their device.
Traditionally, TrickBotmalwareis distributed viaphishing campaignsand operates stealthily on an infected machine, scraping credentials, stealing from cryptocurrency wallets and opening the door to secondary attacks.
It was also recently found to contain a mechanism thatchecks the victim’s screen resolutionto determine whether it is running in avirtual machine, allowing operators to hinder the attempts of researchers to analyze the malware.
However, according to security researcher Vitali Kremez of AdvancedIntel, the TrickBot creators are accidentally circulating a version that serves a warning message to users whose credentials have been stolen, thereby alerting them to the infection.
TrickBot malware
Kremez believes TrickBot’s “grabber” module is responsible for the alert, designed to scrape saved passwords and cookies from popular web browsers, including Chrome, Firefox, Internet Explorer and Edge.
When working as intended, the module allows TrickBot to stealthily lift login credentials and gain access to the victim’s online accounts - including social media, email, online retailers etc. - but in this instance accidentally reports the malicious activity to the victim.
“Warning - you see this message because the program named grabber gathered some information from your browser,” reads the pop-up alert.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
“If you do not know what is happening it is the time to start be worrying (sic). Please, ask your system administrator for details.”
According to Kremez, the module is “coded in the same fashion” as the wider TrickBot malware, suggesting the same developers are responsible. The only explanation for this eccentricity, he claims, is that the creators forgot to remove the self-reporting functionality when a new test build went live.
Users served the error message are advised to disconnect from the internet and scan their machine using antivirus software. Once any malware has been removed, users should change all passwords for accounts logged into via the affected browser.
ViaBleeping Computer
Joel Khalili is the News and Features Editor at TechRadar Pro, covering cybersecurity, data privacy, cloud, AI, blockchain, internet infrastructure, 5G, data storage and computing. He’s responsible for curating our news content, as well as commissioning and producing features on the technologies that are transforming the way the world does business.
Cisco issues patch to fix serious flaw allowing possible industrial systems takeover
Washington state court systems taken offline following cyberattack
Lego will let you build Sir Ernest Shackleton’s iconic lost ship, the Endurance, in its next Icons set
