Trickbot Trojan Updated to Obtain VNC, PuTTY, and RDP Credentials

The Trickbot banking Trojan has been updated with a new module which is capable of obtaining VNC, PuTTY, and remote desktop credentials.

The latest variant of Trickbot is being distributed in a tax season-themed phishing campaign involving emails that offer help with recent changes to the U.S. tax code to reduce tax bills.

The emails appear to have been sent by the accounting organization Deloitte and have a tax incentive-related subject line. The emails contain an Excel file (XLSM) attachment that contains a malicious macro that downloads the Trickbot Trojan. The latest Trickbot variant includes an updated pwgrab module with three new functions for Virtual Network Computing (VNC), PuTTY, and RDP. The malware is capable of obtaining credentials for these platforms, along with hostnames, port, and proxy settings and exfiltrates the data to the attacker’s C2 servers.

The Trickbot Trojan is under active development and is regularly updated with new capabilities. New anti-analysis techniques are regularly incorporated and the Trojan is capable of disabling some security tools. The pwgrab password-stealing module was added to the Trojan in November 2018. The latest version of the Trojan was identified by Trend Micro in January 2019. Trend Micro notes that the latest updates make this already dangerous malware even more of a threat.

The constant updating of the Trojan is likely to see it remain as one of the top malware threats along with Emotet. Both of these banking Trojans are primarily distributed via spam email. Preventing the installation of the malware is easiest by blocking spam emails at the gateway and ensuring they are not delivered to end users’ inboxes.

With an advanced spam filtering solution in place it is possible to prevent the majority of malicious emails from being delivered. Businesses should also ensure that end users receive security awareness training and are taught how to identify and respond to email threats. Email best practices should be followed such as never opening attachments contained in unsolicited emails, especially when sent from unknown individuals. Attachments should only be opened when they can be verified as having been sent from a legitimate source.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of