At 4:18 PM PST yesterday, Advanced Threats Researcher Ivan Macalintal discovered a spy-phishing scheme targeting the Fortune 500 company and 4th largest banking chain in the US, Wachovia Bank (NYSE: WB). This attack ends in the execution of a rootkit detected as TROJ_ROOTKIT.FX, which is a file that hides files and processes, allowing malicious attacks to run entirely beneath the radar.
Macalintal warns that he has seen the following subject headings used in this attack:
- Wachovia Connection Update Alert.
- Wachovia Connection Customer Support – Security Updates.
- Wachovia Connection upgrade warning.
- Wachovia Connection Emergency Alert System.
Below is a screenshot of a sample email:
The malicious links download a file named SPlusWachoviadigicert.exe. Trend Micro Smart Protection Network detects this as TROJ_AGENT.AINZ. It accesses a certain URL to download another malware that in turn drops and installs TROJ_ROOTKIT.FX. This infection chain can be cut off at various points by the Smart Protection Network as we already detect the spam, the malicious links therein, and the files that are downloaded and executed on the system.
Malicious rootkits are especially sneaky because they can hide processes and files from even tech-savvy users. This means entire attacks can transpire without the victim even guessing that there is something wrong with the PC. Malicious rootkits are often associated with information theft, and given that this spam appears to target Wachovia subscribers means that malware writers are counting on the chances that the victim’s PC contains critical financial information they can then collect for their own use.
The legitimate Wachovia Security Plus link can be accessed here, where the company discusses several security issues and precautionary measures to avoid being tricked by these types of attacks.
Related blog posts:
We previously saw TROJ_ROOTKIT.FX a couple of weeks back in a phishing run targeting the Bank of America, as early as 8:35 AM EDT of September 9. Unlike phishing sites which are already harmful by themselves, these types of spam borrow legitimacy from online banking sites to deliver malware. The infection chain of the Bank of America attack starts with the download of an AGENT variant and, like this attack, ends in the initialization of TROJ_ROOTKIT.FX.
Thanks to Jessa dela Torre of the Threat Response Team for the analysis of the infection chain.