On July 10th, security researcher Vitali Kremez discovered a new TrickBot module by the name of “grabber.dll” being dropped by a sample originally found by @malwrhunterteam. This module is a typical browser information stealer targeting Chrome, Edge, Firefox and Internet Explorer. Many malware families steal passwords stored in browsers and information submitted through forms on websites. What makes it odd, however, is that it immediately opens the victim’s default browser to display a warning message:
Kremez was also able to find a detailed “help” prompt for the grabber, detailing the different options available and examples on how to use them. Advanced Intelligence currently believes this module to be in testing and mistakenly deployed to some victims. While investigating the grabber.dll module, another module named “socksbot.dll” was discovered. Not much detail was given for this module other than it was acting as a SOCKS5 proxy, which would allow the attacker to send network traffic through any compromised computer. Attackers often use this technique when committing fraud using the victim’s password to impersonate them, so that bank websites or shopping sites do not detect the login attempt as unusual since it originated from the victim’s usual IP address.