The screen-locking feature added to a popular banking trojan was never intended to be used for ransomware-like operations, researchers from Fortinet revealed on Monday.
The banking trojan in question is TrickBot, and the screenlocker component was first seen at the end of March by multiple security firms and independent researchers.
Initially, researchers believed the TrickBot authors were in the first phases of deploying a screen-locking component that would transform the malware into a dual threat —of banking trojan and ransomware combined.
At the time, there was no support for file encryption operations, and researchers believed this was because they caught an early version of this particular module, expecting newer versions to roll out in the following weeks.
Screenlocker module used for password theft
But with no new versions of this module being spotted in the wild, and after intensive analysis, Fortinet researchers revealed the screen-locking component has nothing to do with ransoming operations and instead is part of TrickBot’s password-stealing exploitation chain.
Recent versions of the TrickBot banking trojan leverage the Mimikatz password-dumping tool to steal WDigest credentials from a Windows computer’s LSA memory, where they are stored in plaintext.
In recent OS versions, Microsoft protects WDigest credentials under a registry key. TrickBot flips this registry key to enable WDigest credentials storage in LSA memory and then uses Mimikatz to retrieve the credentials.
This is where TrickBot’s screenlocker module comes into play, as the user must re-log into his account after WDigest support is enabled. By logging the user out and forcing him to reauthenticate, TrickBot makes sure the WDigest credentials are cached inside the operating system’s LSA memory, so it can scan and retrieve these details.
So all in all, the screenlocker module is actually a function that locks the user out of his account, and then redirects him to the login page without no intention of asking for any ransom.
Screenlocker module active for Windows 8 or later only
“This function is only executed on Windows 8/Server 2012 or newer versions,” Fortinet said about the screenlocker module’s usage.
This is because Microsoft introduced the registry key with a default value of “0” (that disables WDigest) with the release of Windows 8.1 and later OS versions. Microsoft backported the registry key for older OS versions via a security update, but the registry key is not set to “0” as WDigest is more widely used on older systems, and hence, TrickBot doesn’t need the screenlocker module to work on older PCs.
Besides deciphering the purpose of this so-called screenlocker module, Fortinet researchers have also detailed the inner-workings of another TrickBot module that scours local SQL servers for records that look like email addresses. It is believed TrickBot authors use these email addresses to bolster their email spam lists.