A new phishing campaign has been found delivering a variant of infamous TrickBot trojans to victims. The campaign spoofs the well-known bank, Lloyds, in order to trick its targeted users.
My Online Security, a UK-based cybersecurity firm, has revealed a detailed analysis of the phishing campaign. It found that the TrickBot variant focuses on reading and grabbing the OS reliability database. In addition, the banking trojan is found gathering information from C:\ProgramData\Microsoft\RAC\
In the campaign, the victim receives a phishing email that appears to come from Lloyds bank. The subject of the email reads, “Important: please review attached document(s) ” and is sent under the address of ‘donotreply@lloydsbankdocs[.]com'. The email contains an office file attachment with a malicious macro embedded within it.
“Lloyds Bank has not been hacked or had their email or other servers compromised. They are not sending the emails to you. They are just innocent victims in exactly the same way as every recipient of these emails,” said My Online Security in its blog post.
Once the attachment is enabled, the macro code gets downloaded and executes TrickBot on to the victim’s machine.
“The Office Word document attached to the email includes the Lloyds Bank letterhead to make it look genuine. Furthermore, the crooks added the Symantec logo to make it seem as if the file passed verification from a security solution,” My Online Security explained.
Upon execution, the TrickBot is capable of exfiltrating data such as passwords, browsing history, bank & other financial details and logins from the infected system. This stolen data can be used by cybercriminals for various other nefarious tasks.
The researchers at My Online Security further disclosed that the malicious macros only affects the Windows computers as the attachment comes in the form of Office Word document. However, the macro can also run on Mac or any other device if it has Microsoft Office installed.