On July 10th, security researcher Vitali Kremez discovered a new TrickBot module by the name of “grabber.dll” being dropped by a sample originally found by @malwrhunterteam. This module is a typical browser information stealer targeting Chrome, Edge, Firefox and Internet Explorer. Many malware families steal passwords stored in browsers and information submitted through forms on websites. What makes it odd, however, is that it immediately opens the victim’s default browser to display a warning message:
Kremez was also able to find a detailed “help” prompt for the grabber, detailing the different options available and examples on how to use them. Advanced Intelligence currently believes this module to be in testing and mistakenly deployed to some victims. While investigating the grabber.dll module, another module named “socksbot.dll” was discovered. Not much detail was given for this module other than it was acting as a SOCKS5 proxy, which would allow the attacker to send network traffic through any compromised computer. Attackers often use this technique when committing fraud using the victim’s password to impersonate them, so that bank websites or shopping sites do not detect the login attempt as unusual since it originated from the victim’s usual IP address.
If this warning is seen, the infected machine should be disconnected from the network as quickly as possible to prevent further theft or spread. Any sites that are logged into should be logged out of to invalidate any stolen session cookies, and any passwords saved to the browser should be changed from a different computer that is not infected. Endpoint Detection and Response (EDR) solutions can be used to monitor for suspicious activity taken by threats like TrickBot. Managed security services such as the Binary Defense Security Operations Center (SOC) can provide 24/7 monitoring to quickly detect, contain, and alert security teams to threats before they have the chance to spread throughout the network.