Emails purported to come from HSBC, a banking and financial services company, are trying to trick victims at financial institutions into downloading and installing “virus detection software” that is an information stealing Trojan, W32.Difobot.

The email message is to install Rapport from Trusteer, a legitimate security program designed to protect online bank accounts from fraud. However, the software is fake and actually installs malware that steals information from the compromised computer. The email is loaded with security advisory information and eco-friendly messaging to make it look more convincing.

In order to hide itself, it uses God Mode. It also makes registry changes in an attempt to shield itself from notifications and system tools.

Once hidden, the malware contacts a command-and-control server and begins stealing data including financial data.

On other occasions, the campaign has used the same scam but with payment advice and with Themida-packed information-stealing malware.

Source: SCMagazine