TrickBot’s screenlocker feature added to a banking trojan was never intended to be used for ransomware-like operations, researchers from Fortinet revealed on Monday. Fortinet researchers have also detailed the inner-workings of another TrickBot module that scours local SQL servers for records that look like email addresses. TrickBot uses the Mimikatz password-dumping tool to steal WDigest credentials from a Windows computer’s LSA memory, where they are stored in plaintext. It is believed TrickBot authors use these email addresses to bolster their email spam lists.
Source: https://www.bleepingcomputer.com/news/security/trickbots-screenlocker-module-isnt-meant-for-ransomware-ops/