In a new spear-phishing campaign, threat actors impersonate the sixth-largest US bank holding company Truist to infect victims with what looks like remote access Trojan (RAT) malware, the FBI reported.
To spoof the financial institution, the attackers used “registered domains, email subjects, and an application, all appearing to be related to the institution,” the FBI said in its TLP:WHITE private industry alert.
The FBI released the alert in coordination with DHS-CISA. It provides security professionals and network admins with the indicators of compromise to help them detect and block attacks in the described campaign.
The agency describes an attack on a renewable energy company that took place in February 2021. Victims received phishing emails asking to complete the process of getting a $62 million loan. Emails prompted them to download a Windows app masquerading as Truist Financial SecureBank App. The threat actors hosted the fake app on a look-alike domain impersonating Truist.
“The fraudulent loan amount was in line with the victim’s business model,” the FBI said. “The phishing e-mail also contained a link to download the application and a username and password for access… The phishing e-mail appeared to originate from a United Kingdom-based financial institution, stating the US financial institution’s loan to the victim was confirmed and could be accessed through an application which appeared to represent the US financial institution.”
Among other US and UK financial institutions that have also been impersonated in this spear-phishing campaign were FNB America, MayBank, and Cumberland Private.
The malware the attackers used gets zero detection rates by anti-malware engines on VirusTotal at the time of writing.
The malware once installed communicates with the secureportal(.)online domain. According to the VirusTotal page for the malware sample, the malware can log keystrokes and take screenshots of the victims’ screens.
Other capabilities include privilege escalation, communications over UDP network, file downloader/dropper, system registry manipulation, listening for incoming communication, communicating using DNS and over HTTP, and code injection with CreateRemoteThread in a remote process.
Using stolen information in such a campaign, attackers can proceed to steal their victims’ login credentials and other sensitive data for impersonation or further compromise of their networks.
