Recently, security researchers came across a variant of the TrickBot malware that was mistakenly warning users that they have suffered from an infection. According to Vitali Kremez from Advanced Intel, the mistake comes from a password-stealing module called grabber.dll.
The grabber.dll module is used by the threat actors to harvest saved browser credentials and cookies from Firefox, Internet Explorer, Edge, and Chrome browsers. Cybercriminals can then use the stolen cookies and credentials to log in to the victim's accounts. This can lead to severe financial losses, security issues, and even identity theft.
This Week In Malware Episode 20 Part 2: Bazar Malware Linked to Trickbot Banking Trojan Campaigns to Steal Personal Data
Kremez, however, observed that the TrickBot operators had simply pushed a test version of the password-stealing grabber.dll with their malware. When executed, the module delivered the following warning message in the victim's browser, informing them that a program is gathering their browser information:
You see this message because the program named grabber gathered some information from your browser.
If you do not know what is happening it is the time to start be worrying.
Please, ask your system administrator for details.
According to Kremez, the grabber.dll module seems to be developed by the same people who wrote the TrickBot code. He suspects that the cyber crooks were testing a new feature and forgot to remove the warning before they began distributing it in the wild.
Anyone who comes across this warning should take some steps in order to protect their system from malware. Kremez advised victims to immediately disconnect their machine from the network and perform a scan with legitimate antivirus software. Once they have done that, they should change the passwords of any accounts that might have been saved or recently logged into from their browser.