Last month, Symantec detected a spam campaign mainly targeting financial institutions, which used social engineering to try trick victims into installing “virus detection software” that was in fact an information stealing worm (W32.Difobot).
The emails purported to come from HSBC, a banking and financial services company based in London, even displaying an @hsbc.com email address. The messages claimed that the virus detection software was Rapport from Trusteer, a legitimate security program designed to protect online bank accounts from fraud. However, the fake Rapport software is actually malicious and, if installed, does the opposite of what is claimed and steals information from the compromised computer. The malware also uses Windows GodMode in order to hide itself on infected computers.
The email is loaded with security advisory information and eco-friendly messaging to make it look more convincing (ironically, the email recommends against opening attachments from unknown or non-trustworthy sources). However, there are plenty of warning signs that should alert users that there is something amiss.
One of the first signs that the email is not legitimate is in the subject line (Figure. 1) where the phrase “Payment Advice” is followed by a large gap and then 10 random characters.
The language and sentence structure used in the email should also raise concerns with recipients. Some sentences do not make sense, such as “The advice is for your reference only and has been instructed to send e-mail notifications to you.” However, other parts of the email, such as the “Security tips” section, are written in perfect English which suggests they are copied from other sources.
The email also states that “payment advice” is attached but later refers to the attachment as "virus detection software."
Perhaps the biggest warning sign is the attachment itself. While it is highly unlikely that any legitimate banking email would come with a .7z attachment, it is even more unbelievable that the attachment would contain antivirus software.
Fake security software
The .7z file (RapportSetup.7z) attached to the email contains the following files:
- Rapport v126.96.36.199.exe
Other signs that point to this “security software” being suspicious include the fact that the Themida-packed executable has version information related to Navicat, a popular admin tool for databases, and not for Rapport. The file also has an invalid digital certificate.
If the malware is executed, it creates a folder for itself and then uses Windows GodMode to hide so it can't be seen or removed. GodMode, also known as the Windows Master Control Panel shortcut, is a shortcut used to access various control settings in certain versions of Windows.
The threat also modifies registry entries in order to disable notifications and system tools in an attempt to shield itself.
Once it is hidden on the compromised computer, the threat starts communicating with a command-and-control server. This can allow the attacker to perform actions remotely and steal information, such as financial data, from the infected computer.
The email campaign discussed in this blog took place over a 24-hour period from February 10 through February 11. However, the spam run may be part of a larger campaign as we have observed similar HSBC themed emails mentioning payment advice and with Themida-packed information-stealing malware on other occasions.
A full protection stack helps to defend against these attacks, including Symantec Email Security.cloud, which can block email-borne threats, and Symantec Endpoint Security, which can block malware on the endpoint. For consumers, Norton Security will protect your computer from malware.
Tips for protecting yourself from email-borne threats:
- Delete any suspicious-looking emails you receive, especially if they contain links or attachments.
- Be suspicious of emails that demand some action without following usual procedures.
- Report the suspicious or obviously bogus emails to the proper authorities.
- Always keep your security software up to date to protect yourself against any new variants of malware.
- Keep your operating system and other software updated. Software updates will frequently include patches for newly-discovered security vulnerabilities that could be exploited by attackers.
Symantec.Cloud customers are protected from the emails discussed in this blog.
Symantec and Norton products protect against this attack with the following detections:
Intrusion prevention system: