The famous TrickBot malware accidentally left a test module that warns victims that they are infected and need to contact their administrator.
TrickBot is a malware infection that is usually spread by malicious spam. Once installed, the malware runs silently on machine of the victim while downloading different modules that perform different work on the infected computer.
These modules allow malware to steal a domain Active Directory Services database, collect passwords and browser cookies, steal OpenSSH keys, and spread sideways over a network.
The developers of TrickBot made a mistake
In a recent version of TrickBot malware analyzed by Advanced Intel's Vitali Kremez, hackers mistakenly distributed a trial version of the password-stealing module grabber.dll.
When loaded, this module displays a warning in the default browser stating that the program is collecting information and that the victim should ask their system administrator.
This warning is not an isolated case, as BleepingComputer found a user infected with TrickBot who posted a question related to this warning 16 days ago on Reddit.
"Firefox warns me about a program called grabber. "What is this and what should I do?" The Reddit user asked.
Grabber.dll is the TrickBot password and cookie theft unit that attempts to collect browser credentials and cookies from ChromeIn EdgeIn Internet Explorer and Firefox. These stolen credentials and cookies can then be used to log in to the victim's accounts.