Avatar

Starting Friday, July 19, 2013 at 14:45 GMT, Cisco TRAC spotted a new spam campaign likely propagated by the Zeus botnet. The initial burst of spam was very short in duration and it’s possible this was intended to help hide the campaign, since it appears to be targeted towards users of a Trusteer product called Rapport. Within minutes of the campaign starting, we were seeing millions of messages.

spam3

This spam impersonated a security update from Trusteer. Attached to this file was the “RaportUpdate” file, which contained a trojan. We’ve identified this specific trojan as Fareit. This file is designed to impersonate an update to the legitimate Rapport product, which, as described by Trusteer, “Protects end users against Man-in-the-Browser malware and phishing attacks. By preventing attacks, such as Man-in-the-Browser and Man-in-the-Middle, Trusteer Rapport secures credentials and personal information and stops online fraud and account takeover.”

It’s important to note that while this end-point solution is designed to protect against browser-based threats, this specific attack is email-based. If the user downloads and executes the attachment via their mail client, it could bypass their browser and the protections of a legitimate Rapport client, entirely. If an end user is tricked into running malicious software for an attack via an avenue the attacker can reasonably predict, it becomes much easier to bypass network security devices and software.

 

trusteer

 

Upon execution, the malicious attachment reaches out to several sites looking for an update. The malware then downloads several executable files to the victim machine and attempts to harvest credentials. This trojan is primarily designed to steal financial information from victims, but the techniques it utilizes include key logging to capture, as well as other forms of data theft that aren’t limited to financial account information. Any activity on a compromised machine should be considered recorded, including all online banking, instant messaging, tax sites, etc.

If compromised by this trojan, a user should stop using the computer right away and use another machine to change all online credentials. The user should also reset all secret questions and answer sets on important accounts and reinstall the machine from scratch. The trojan will attempt to contact the following domains:

 

hxxp://prospexleads.com
hxxp://phonebillssuck.com
hxxp://salsaconfuego.com
hxxp://nursenextdoor.com
hxxp://dreamonseniorwish.org
hxxp://acimg.anphis.pt
hxxp://positivepurchasingsandbox.positivedev.co.uk
hxxp://go4color.com

 



Authors

Craig Williams

Director

Talos Outreach