TrickBot Banking Trojan Starts Stealing Windows Problem History [source: bleepingcomputer]
by CIRT Team
A version of TrickBot spotted recently shows interest in data that is peculiar for the normal scope of banking trojans: the Windows system reliability and performance information.
Microsoft runs a Reliability Analysis Component (RAC) on Windows operating systems to supply the Reliability Monitor with details about software installations, upgrades, errors from the operating systems and applications, as well as hardware-related issues.
For this purpose, it uses the RACAgent scheduled task on an hourly basis and dumps all the data to a local folder. You can disable the collection of these details from the Task Scheduler applet, but by doing so you no longer get the Reliability Monitor’s System Stability Index.
Phishing campaign reveals TrickBot’s new interest
An analysis of a phishing campaign from My Online Security reveals that a TrickBot variant spotted this week focused on reading and grabbing the OS reliability database and information available under C:\ProgramData\Microsoft\RAC\.
It is unclear what good this type of data would do to the crooks, but it nay serve malicious purposes, such as better targeting with phishing emails.
For more, click here.