Skip to main content

VPN accounts targeted by new malware

(Image credit: Shutterstock)

Researchers have warned VPN users to check their security protection after a new malware targeting accounts was detected.

Trickbot is a modular malware which was first observed in 2016 and it steals system information, login credentials and other sensitive data from vulnerable Windows machines.

However, in November, security researchers from Palo Alto Networks began to see indicators that Trickbots' password grabber module had begun to target data from OpenSSH and OpenVPN applications.

When a Windows host is infected with Trickbot, it downloads different modules to perform various functions. The modules themselves are stored as encrypted binaries in a folder located in the infected system's AppData\Roaming directory and they are then decoded as DLL files that run from system memory.

Pwgrab64 is a password grabber used by Trickbot and this module retrieves login credentials stored in a victim's browser cache but it can also obtain login credentials from other applications installed on a victim's host.

Targeting OpenSSH and OpenVPN

Traffic patterns from recent Trickbot infections were fairly consistent until November when Palo Alto Networks started seeing two new HTTP POST requests for OpenSSH private keys and OpenVPN passwords and configs caused by the malware's password grabber.

Thankfully these updates to Trickbot's password grabber module may not be fully functional yet as the researchers did not see any actual data from OpenVPN contained in the traffic coming from the malware. They also set up Trickbot infections in lab environments where HTTP POST requests generated by the password grabber for OpenSSH and OpenVPN contained no data.

However, Trickbot's password grabber does indeed work and will still obtain SSH passwords and private keys from an SSH/Telnet client named PuTTY.

The updated traffic patterns discovered by Palo Alto Networks show that Trickbot continues to evolve but users can avoid falling victim to this malware by running fully-patched and up-to-date versions of Microsoft Windows.

  • Also check out our complete list of the best VPN services