A version of TrickBot spotted recently shows interest in data that is peculiar for the normal scope of banking trojans: the Windows system reliability and performance information.

Microsoft runs a Reliability Analysis Component (RAC) on Windows operating systems to supply the Reliability Monitor with details about software installations, upgrades, errors from the operating systems and applications, as well as hardware-related issues.

For this purpose, it uses the RACAgent scheduled task on an hourly basis and dumps all the data to a local folder. You can disable the collection of these details from the Task Scheduler applet, but by doing so you no longer get the Reliability Monitor's System Stability Index.

Phishing campaign reveals TrickBot's new interest

An analysis of a phishing campaign from My Online Security reveals that a TrickBot variant spotted this week focused on reading and grabbing the OS reliability database and information available under C:\ProgramData\Microsoft\RAC\.

Security researcher James published a list of files trawled by the malware on Twitter:

Exfiltrated Data
Exfiltrated Data

It is unclear what good this type of data would do to the crooks, but it nay serve malicious purposes, such as better targeting with phishing emails.

TrickBot delivery via fake Lloyds Bank email

This campaign sends TrickBot with messages purporting to be from Lloyds Bank using the address 'donotreply@lloydsbankdocs.com,' which is easy to mistake for a genuine email from the bank.

The fraudsters made an effort to craft believable messages that entice the potential victim to open an attached document containing a malicious macro. If enabled, the macro code downloads and executes TrickBot.

Phishing email

The Office Word document attached to the email includes the Lloyds Bank letterhead to make it look genuine. Furthermore, the crooks added the Symantec logo to make it seem as if the file passed verification from a security solution.

Despite all the efforts to hide its malicious nature, the file is currently detected by at least 30 antivirus engines on VirusTotal.

Related Articles:

Android Malware Tricks User to Log into PayPal to Steal Funds

DanaBot Banking Trojan Gets into Spam Business

Rotexy Mobile Trojan Launches 70k+ Attacks in Three Months

Emotet Returns with Thanksgiving Theme and Better Phishing Tricks

State-Sponsored Actors Focus Attacks on Asia