Cisco Blogs


Cisco Blog > Security

Zeus Botnet Impersonating Trusteer Rapport Update

July 19, 2013
at 12:50 pm PST

Starting Friday, July 19, 2013 at 14:45 GMT, Cisco TRAC spotted a new spam campaign likely propagated by the Zeus botnet. The initial burst of spam was very short in duration and it’s possible this was intended to help hide the campaign, since it appears to be targeted towards users of a Trusteer product called Rapport. Within minutes of the campaign starting, we were seeing millions of messages.

spam3

This spam impersonated a security update from Trusteer. Attached to this file was the “RaportUpdate” file, which contained a trojan. We’ve identified this specific trojan as Fareit. This file is designed to impersonate an update to the legitimate Rapport product, which, as described by Trusteer, “Protects end users against Man-in-the-Browser malware and phishing attacks. By preventing attacks, such as Man-in-the-Browser and Man-in-the-Middle, Trusteer Rapport secures credentials and personal information and stops online fraud and account takeover.”

It’s important to note that while this end-point solution is designed to protect against browser-based threats, this specific attack is email-based. If the user downloads and executes the attachment via their mail client, it could bypass their browser and the protections of a legitimate Rapport client, entirely. If an end user is tricked into running malicious software for an attack via an avenue the attacker can reasonably predict, it becomes much easier to bypass network security devices and software.

 

trusteer

 

Upon execution, the malicious attachment reaches out to several sites looking for an update. The malware then downloads several executable files to the victim machine and attempts to harvest credentials. This trojan is primarily designed to steal financial information from victims, but the techniques it utilizes include key logging to capture, as well as other forms of data theft that aren’t limited to financial account information. Any activity on a compromised machine should be considered recorded, including all online banking, instant messaging, tax sites, etc.

If compromised by this trojan, a user should stop using the computer right away and use another machine to change all online credentials. The user should also reset all secret questions and answer sets on important accounts and reinstall the machine from scratch. The trojan will attempt to contact the following domains:

 

hxxp://prospexleads.com
hxxp://phonebillssuck.com
hxxp://salsaconfuego.com
hxxp://nursenextdoor.com
hxxp://dreamonseniorwish.org
hxxp://acimg.anphis.pt
hxxp://positivepurchasingsandbox.positivedev.co.uk
hxxp://go4color.com

 

Tags: , , , , , , ,

In an effort to keep conversations fresh, Cisco Blogs closes comments after 60 days. Please visit the Cisco Blogs hub page for the latest content.

2 Comments.


  1. Could someone please change the graph with this article. It now looks as if there is an enormous spike at the 19th at 14:45, but if I read it correctly it is a cummulation of all messages from 0:00 until 14:45. This would be an average of about 200k messages per 15 minutes and that is more or less in line with what we see from 14:45 until 15:45.

       0 likes

    • hey Z,

      That image could be a type of cryptography that hides in plain sight. That self executing code could be embedded in
      in an image is a “bit” disturbing. As well as rootkit found on my Win7 and mass destruction of my XP. Good Luck

         0 likes