March 13, 2017
Last month, Symantec detected a spam campaign mainly targeting financial institutions, which used social engineering to try trick victims into installing “virus detection software” that was in fact an information stealing Trojan (W32.Difobot).
The emails purported to come from HSBC, a banking and financial services company based in London, even displaying an hsbc.com email address. The messages claimed that the virus detection software was Rapport from Trusteer, a legitimate security program designed to protect online bank accounts from fraud. However, the fake Rapport software is actually malicious and, if installed, does the opposite of what is claimed and steals information from the compromised computer. The malware also uses Windows GodMode in order to hide itself on infected computers.
Warning signs
The email is loaded with security advisory information and eco-friendly messaging to make it look more convincing (ironically, the email recommends against opening attachments from unknown or non-trustworthy sources). However, there are plenty of warning signs that should alert users that there is something amiss.
One of the first signs that the email is not legitimate is in the subject line (Figure. 1) where the phrase “Payment Advice” is followed by a large gap and then 10 random characters.
The language and sentence structure used in the email should also raise concerns with recipients. Some sentences do not make sense, such as “The advice is for your reference only and has been instructed to send e-mail notifications to you.” However, other parts of the email, such as the “Security tips” section, are written in perfect English which suggests they are copied from other sources.
The email also states that “payment advice” is attached but later refers to the attachment as “virus detection software.”
Perhaps the biggest warning sign is the attachment itself. While it is highly unlikely that any legitimate banking email would come with a .7z attachment, it is even more unbelievable that the attachment would contain antivirus software.
Fake security software
The .7z file (RapportSetup.7z) attached to the email contains the following files:
Rapport v22.0.1.3.exe
Instruction.jar
Other signs that point to this “security software” being suspicious include the fact that the Themida-packed executable has version information related to Navicat, a popular admin tool for databases, and not for Rapport. The file also has an invalid digital certificate.