Symantec has detected a spam campaign, mainly targeting financial institutions, which uses social engineering to try and trick victims into installing “virus detection software” that is an information stealing Trojan, W32.Difobot.
The emails purported to come from HSBC, a banking and financial services company, and display an @hsbc.com email address.
The message asks to install virus detection software Rapport from Trusteer, a legitimate security program designed to protect online bank accounts from fraud.
However, the fake Rapport software is actually malicious and, if installed, does the opposite of what is claimed and steals information from the compromised computer.
The malware makes use of Windows GodMode in order to hide itself on infected computers. GodMode, also known as the Windows Master Control Panel shortcut, is a shortcut used to access various control settings in certain versions of Windows.
The email is loaded with security advisory information and eco-friendly messaging to make it look more convincing (ironically, the email recommends against opening attachments from unknown or non-trustworthy sources).
If the malware is executed, it creates a folder for itself and then uses Windows GodMode to hide so it can't be seen or removed.
The Trojan also modifies registry entries in order to disable notifications and system tools in an attempt to shield itself.
Once it is hidden on the compromised computer, the threat starts communicating with a command-and-control server. This can allow the attacker to perform actions remotely and steal information, such as financial data, from the infected computer.
The email campaign discussed in this blog took place over a 24-hour period from 10 February through 11 February.
However, the spam run may be part of a larger campaign as we have observed similar HSBC themed emails mentioning payment advice and with Themida-packed information-stealing malware on other occasions.