Spear-phishing campaign using fake Truist banking app delivers malware

FBI warns about attacks distributing RATs posing as financial institutions

FBI has identified that a fake Truist Financial SecureBank App is developed to spread malware

The FBI has released^[1] a Private Industry Notification (PIN) stating that their Cyber Division has detected a new phishing campaign roaming on the internet. This time, threat actors are imitating Truist Financial Corporation,^[2] an American bank holding company, which is the sixth-largest in the US.

The PIN contained a brief summary of one identified spear-phishing attempt that in February 2021 targeted a US-based renewable energy company. During the campaign, threat actors have sent emails containing two .pdf files and hyperlinks to a spoofed website to the victim.

The target of this phishing attack was urged to download an application that looked like a legitimate app from Tuist bank, called Truist Financial SecureBank App. That was allegedly required to complete registration and receive their loan of $62 million. The email also contained a username and password to log in to the fake tool. In reality, a remote access trojan, more popularly known as RAT, in the cyber community, was hidden within the downloaded impersonated banking app.

Functions and capabilities of the distributed malware

Samples of the RAT delivered through the spear-phishing campaign were provided to VirusTotal, a portal for scanning possibly malicious files with the most popular antivirus engines. The results were staggering as none of the AV tools flagged the setup.exe file as malicious.

That suggests that no matter what cybersecurity software is installed on a device, it would miss it, and the infection could run uninterruptedly in the background. VirusTotal has issued a list^[3] of what the impersonated Truist Financial SecureBank App could do on an infected computer:

• Take screenshots or make videos using a webcam,
• manipulate system registry by altering values and entries,
• download additional malware,
• steal personal files,
• log keystrokes,
• etc.

Most of these functions are linked to information stealing. By taking screenshots and logging keystrokes, the evildoers might obtain your private information (address, phone number, SSN, etc.) or gain access to the emails, social media profiles, bank accounts, and alike.

More attacks may lay ahead as the Truist bank wasn't the only one impersonated

The phishing emails sent out during the campaign contained hyperlinks to secureportal.online. Threat actors urged their victims to visit this page to download the malicious Truist Financial SecureBank App. According to research,^[4] the Truist bank wasn't the only spoofed one.

Cumberland Private, MayBank, and FNB America were also being mimicked. Such spear-phishing attacks could return, so everyone using either of these four UK and US financial institutions should be aware of this and be extra careful. Since reliable antivirus software doesn't seem to be enough to stop this fake Windows application, people need to learn how to spot a phishing email to avoid becoming the next cyberattack victim.

One of the most notable peculiarities of such a message is that it creates a sense of urgency. It might be an email appearing to be from your bank, coworkers, hospital, etc., urging you to click a hyperlink or download an attached file. If you ever spot something suspicious, please call the person/institution and ask if they've sent the email to you.

Please don't rush, as opening the attachment or clicking on a link might get you in way more trouble than double-checking its origins. Other features^[5] might include misspelled domain names, grammatical errors, requests for private details over the email, and so on.