At 4:18 PM PST Sept 22, Advanced Threats Researcher Ivan Macalintal discovered a spy-phishing scheme targeting the Fortune 500 company and 4th largest banking chain in the US, Wachovia Bank (NYSE: WB). This attack ends in the execution of a rootkit, TROJ_ROOTKIT.FX, which is a file that hides files and processes, allowing malicious attacks to run entirely beneath the radar.

Macalintal warns that he has seen the following subject headings used in this attack:

  • Wachovia Connection Update Alert.
  • Wachovia Connection Customer Support - Security Updates.
  • Wachovia Connection upgrade warning.
  • Wachovia Connection Emergency Alert System.

The spam carries the following email body:

WACHOVIA CORPORATION NOTICE.

At Wachovia we’ve re-imagined what’s possible for online cash management.

The next step in the transformation of Wachovia Connection is access through a new Wachovia Security Plus Certificate.

This will allow you to access securely the Wachovia Connection and other online services.

All users will be notified and must manually install the Wachovia Security Plus Certificate.

Installation takes about two minutes.

Start installation process now {malicious link}

Sincerely, {varies}

2008 Wachovia Corporation.

All rights reserved.

The malicious links download a file named SPlusWachoviadigicert.exe. Trend Micro Smart internet security protection Network detects this as TROJ_AGENT.AINZ. It accesses a certain URL to download another malware that in turn drops and installs TROJ_ROOTKIT.FX. This infection chain can be cut off at various points by the Smart internet security protection Network as we already detect the spam, the malicious links therein, and the files that are downloaded and executed on the system.

Malicious rootkits are especially sneaky because they can hide processes and files from even tech-savvy users. This means entire attacks can transpire without the victim even guessing that there is something wrong with the PC. Malicious rootkits are often associated with information theft, and given that this spam appears to target Wachovia subscribers means that malware writers are counting on the chances that the victim’s PC contains critical financial information they can then siphon for their own use.

The legitimate Wachovia Security Plus link can be accessed here, where the company discusses several security issues and precautionary methods to avoid being tricked by these types of attacks.

Related blog posts:

We have previously seen TROJ_ROOTKIT.FX a couple of weeks back in a phishing run targeting Bank of America, as early as 8:35 AM EDT of September 9. Unlike phishing sites which are already harmful by themselves, these types of spam borrow legitimacy from online banking sites to deliver malware. The infection chain of the Bank of America attack starts with the download of an AGENT variant and, like this attack, ends in the initialization of TROJ_ROOTKIT.FX.

Thanks to Jessa dela Torre of the Threat Response Team for the analysis of the infection chain.