A version of TrickBot spotted recently shows interest in data that is peculiar for the normal scope of banking trojans: the Windows system reliability and performance information.
Microsoft runs a Reliability Analysis Component (RAC) on Windows operating systems to supply the Reliability Monitor with details about software installations, upgrades, errors from the operating systems and applications, as well as hardware-related issues.
For this purpose, it uses the RACAgent scheduled task on an hourly basis and dumps all the data to a local folder. You can disable the collection of these details from the Task Scheduler applet, but by doing so you no longer get the Reliability Monitor's System Stability Index.
An analysis of a phishing campaign from My Online Security reveals that a TrickBot variant spotted this week focused on reading and grabbing the OS reliability database and information available under C:\ProgramData\Microsoft\RAC\.
Security researcher James published a list of files trawled by the malware on Twitter:
It is unclear what good this type of data would do to the crooks, but it nay serve malicious purposes, such as better targeting with phishing emails.
This campaign sends TrickBot with messages purporting to be from Lloyds Bank using the address 'email@example.com,' which is easy to mistake for a genuine email from the bank.
The fraudsters made an effort to craft believable messages that entice the potential victim to open an attached document containing a malicious macro. If enabled, the macro code downloads and executes TrickBot.
The Office Word document attached to the email includes the Lloyds Bank letterhead to make it look genuine. Furthermore, the crooks added the Symantec logo to make it seem as if the file passed verification from a security solution.
Despite all the efforts to hide its malicious nature, the file is currently detected by at least 30 antivirus engines on VirusTotal.