The developers of the famous banking Trojan TrickBot accidentally coded a feature that warns infected users of its presence on their device. Traditionally, TrickBot malware is distributed via phishing campaigns and stealthily runs on an infected machine, scraping credentials, stealing cryptocurrency wallets, and opening the door for secondary attacks. It was also recently discovered to contain a mechanism that checks the victim's screen resolution to determine if they are running in a virtual machine, allowing operators to hinder researchers' attempts to analyze malware. However, according to security researcher Vitali Kremez of Advanced Intel, the creators of TrickBot accidentally release a version that sends a warning message to users whose credentials have been stolen, alerting them to the infection.
trickbot malware
Kremez believes that TrickBot's capture module is responsible for the alert, which is designed to remove saved passwords and cookies from popular web browsers, including Chrome, Firefox, Internet Explorer, and Edge. When working as intended, the module allows TrickBot to stealthily record login information and access victim's online accounts, including social media, emails, online retailers, etc. - but in this case, you accidentally report malicious activity to the victim. "Warning: You are seeing this message because a program called grabber has collected information from your browser," the pop-up alert reads. "If you don't know what's going on, now is the time to start worrying (sic)." Ask your system administrator for details. According to Kremez, the module is "coded in the same way" as the larger TrickBot malware, which suggests that the developers themselves are responsible. He claims that the only explanation for this eccentricity is that the creators forgot to remove the self-test feature when publish a new test version.Users who have received the error message are advised to disconnect from the internet and scan their machine using antivirus software.After removing the malware, users should change all the passwords of the connected accounts via the affected browser Via the sleep computer