Trickbot is a fairly well-known piece of malware that has been monitored by cyber-security experts ever since it first emerged in 2016.
It was a fairly simple piece of malware which has been designed to steal sensitive information such as login credentials, system logins, and anything similar it can identify. Its target has always been vulnerable Windows machines, of which there are many.
Sometimes malware is created for a single purpose and the hackers behind it will quickly dispose of it and create something new once it has been identified.
But sometimes, it makes more sense to modify an existing piece of malware rather than create a whole new one from scratch. And that is what experts have observed in the case of Trickbot.
OpenVPN accounts being targeted
Last month, security experts at Palo Alto Networks, a cyber-security company based in California, who were monitoring Trickbot began to see indicators that the malware was beginning to shift its attention from system and login passwords to data from OpenVPN and OpenSSH applications instead.
Their Unit 42 research team were running a compromised 64-bit Windows 7 device. When a Windows device is infected with the Trickbot malware it downloads various different modules which are then stored in the devices infected files and eventually decoded into DLL files which run on the system memory.
The module that the Palo Alto researchers were focused on is called pwgrab64. It is not a new module. They have observed it on infected devices since November of last year. But previously, this module was focused on stealing passwords from web browsers and apps.
In February, the pwgrab64 module was updated to target credentials used to authenticate to remote servers using VNC, PuTTY, and Remote Desktop Protocol (RDP).
Now they have noticed that it has been updated again. This time it is trying to use HTTP POST requests to send stolen OpenSSH private keys and OpenVPN passwords and configuration files back to its command and control servers.
In other words, it is now looking to steal your VPN login details.
Not active yet
If this concerns you and you are worried about your VPN account details being compromised, don’t panic. According to the Palo Alto researchers, Trickbot is not currently sending any actual data back to its servers yet.
This is most likely because whoever is behind this piece of malware is currently still testing out this new capability.
But it is still actively stealing the other data it has been targeting, so there is still good reason to be alert.
It is one of the most virulent and most updated pieces of malware around and VPN login details are just the latest in a series of targets which have seen it target everything from Verizon, T-Mobile, and Spring PIN codes to browser cookies.
While the VPN login grabbing tool might not yet be up and running, the Palo Alto researchers put it through its paces and found it to be robust which suggests it is only a matter of time before the hackers behind Trickbot set it loose.
How to protect your VPN account from the Trickbot malware
If you are worried about Trickbot, the first thing to remember is that this malware only targets Windows devices. If you are running your VPN on an Android, iOS or macOS device, you have nothing to fear, but there are of course other pieces of malware out there you need to be aware of.
If you are running a Windows device, the best advice is to ensure that your Windows operating system is always up-to-date with the latest upgrades. Whenever Microsoft pushes out a security patch or a full upgrade, always be sure to install it at the earliest opportunity. This should ensure your device is safe from Trickbot.
You should also ensure that you are using up-to-date anti-virus and anti-malware software too. As long as you are using a reputable tool, this should also help to prevent Trickbot from executing on your device.
Lastly, Trickbot is circulated largely through phishing attacks. If you want to avoid falling victim to such an attack, read our guide on how to avoid falling victim to a scam phishing attack. The golden rule is never to click on a link or an attachment unless you are certain what it is and where it came from.
Trickbot’s evolution to targeting VPN accounts could give a clue as to the origin of this piece of malware. In authoritarian countries like Russia, Iran, and Communist China, regimes are seeking to stamp out the use of VPNs. A piece of malware that compromised accounts would no doubt be very useful to them.
This is all speculation at the moment though. But the evolution of Trickbot is a reminder that VPNs are not only a very effective online security and privacy tool, they are also an attracted target for hackers as well.