High
Researchers have analyzed a new TrickBot module that appears to have still been in development and unintentionally deployed in the wild. The module, named “grabber.dll,” was discovered being loaded by a TrickBot sample with the gtag “chil48.” The module version was listed as 0.6.8 and its purpose appears to be for browser data stealing, such as stored passwords and cookies. Strangely, when loaded, the module opens a browser window that displays a warning message about the stealing activity occurring. The researchers hypothesize that this is likely a test module that was not supposed to be distributed to victims. Furthermore, it may indicate that legitimate coders are being hired under the ruse of developing anti-malware software to help develop part of the code. They also noted that another module associated with this sample was discovered, “socksbot.dll,” that handles Socks5 proxy activity.