Today I identified several phishing emails targeting the Royal Bank of Canada’s customers:
The above phish is the classic trick of sending you to a fake banking site and have you type your personal information (social engineering).
On the opposite, the following phish aims at having you run a file (social engineering + malware infection):
This Trojan is almost undetected by anti-virus software (VirusTotal 2/44) and yet performs some pretty nasty things. If you are interested in the full payload, here is a ThreatExpert report.
One of the interesting things it does is turn off Internet Explorer’s anti-phishing filer:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\PhishingFilter]
EnabledV8 = 0×00000000
ShownServiceDownBalloon = 0×00000000
It also copies an executable (VirusTotal 4/44) to all connected shares (worm-like behaviour) using the Autorun.inf file to auto-launch it.
Following that, it will contact a remote server (dbdata-check.com @ 95.57.120.143) located in Kazakhstan at regular intervals:
Jerome Segura
Leave a reply
