New malware campaign impersonates bank guardian Trusteer

Print Friendly, PDF & Email
[one_third]When it comes to online banking security, banks have a big problem.  How do they verify that a transaction request is actually coming from a customer and not from an identity thief or a piece of malware controlling the customers' computer?

A Boston-based company named Trusteer targets banks with solutions to this problem.  Among those solutions is an endpoint malware detection program named Rapport.  Banks are encouraged to offer this program to their important clients so that the client computers can be secured.

So, you're a malware author, and you're looking for online banking customers to compromise. Who better to target than people who are so important to a bank that they would receive special software to protect their accounts?

That targeting is just what is happening with the latest malicious spam campaign to appear in the Barracuda Labs spam honeypots.

This well-done done email spoofs Trusteer and even customizes each email so that the attachment contains the email ID of the email recipient.   The name recognition and comfort associated with the Trusteer brand might very well be enough to persuade someone to open and run  this attachment, thinking they are enhancing their computer security when in fact they are actually doing quite the opposite.

Only 8 out of 47 antivirus products even recognize the attached malware, which Malwarebytes does identify as Trojan.Agent.rfz.

 

This trojan downloads three other pieces of malware (one was already inaccessible when we ran our tests,) all of which had even worse detection ratios – only 4 out of 47 for each, although these ratios should improve as antivirus vendors catch up.  Note that the periodic contact with Google.com is typical of credential stealers which do so to test internet connectivity.

Trusteer Rapport might actually intercept these downloads, although we have no way of knowing for sure.   What we do know for sure is a maxim we repeat often in our blog – don't run attachments received in email unless you personally know the sender, and the contents.  It is just too easy to create perfectly deceptive phishing attacks.   Instead, if you are asked to install or upgrade software, insist on a URL that is hosted on a reputable site.

 

Barracuda Networks customers using the Barracuda Spam & Virus Firewall are protected from these emails.

 

Scroll to top
Tweet
Share
Share