An email spam campaign targeted financial organizations with Difobot malware that masqueraded as fake computer security software.
The campaign begins when an employee at a financial institution receives an email purporting to originate from HSBC, a banking and financial service institution based which suffered a distributed denial-of-service (DDoS) attack back in January 2016. Spammers use a spoofed email address like “email@example.com” and urge the recipient to download Rapport, a security program designed by Trusteer which helps prevent bank-related fraud. The message even lists some best security practices, including updating all security software on a regular basis and not clicking on suspicious links and email attachments.
But things get a little iffy when you look at the rest of the message.
For instance, the subject line says the email has something to do with making a payment, but the words “Payment Advice” are separated from 10 seemingly random characters by a large gap. The email message also mentions payment advice. However, it does so using sentences that don’t make any sense. Case and point: “The advice is for your reference only and has been instructed to send e-mail notifications to you.”
That’s not even the most obvious giveaway. Symantec’s Rohit S. and Bhaskar Krishna elaborate on that point in a blog post:
“Perhaps the biggest warning sign is the attachment itself. While it is highly unlikely that any legitimate banking email would come with a .7z attachment, it is even more unbelievable that the attachment would contain antivirus software.”
It’s therefore no surprise the “security software” has an invalid digital certificate and has version information not relating to Rapport. That’s because the software is actually Difobot malware that uses Windows GodMode to hide itself and modifies registry entries to shield itself. Difobot also communicates with its command and control (C&C) server, a channel through which it can exfiltrate sensitive financial information.
The campaign took place over a 24-hour period between 10-11 February. Seeing as how researchers have spotted other HSBC-themed spam mail, this campaign could be part of a larger operation targeting financial institutions. With that in mind, organizations should train their employees to not click on suspicious links or email attachments and to keep their security software up-to-date.