TeamHood 
Threat actors impersonated Truist bank employee, the sixth-largest US bank holding company, in a spear-phishing campaign attempting to infect recipients with what looks like remote access trojan (RAT) malware.
FBI mentioned that the “to spoof the financial institution through registered domains, email subjects, and an application, all appearing to be related to the institution,” the FBI said in a TLP:WHITE private industry notification.
The PIN was released in coordination with DHS-CISA and is designed to provide security professionals and network admins with the indicators of compromise needed to detect and block such attacks.
In one of the attacks targeting a renewable energy company in February 2021, the phishing emails instructed the target to download a malicious Windows app mimicking the legitimate Truist Financial SecureBank App and supposedly needed to complete the process behind a $62 million loan.
“The fraudulent loan amount was in line with the victim’s business model,” the FBI added. “The phishing e-mail also contained a link to download the application and a username and password for access.”
“The phishing e-mail appeared to originate from a United Kingdom-based financial institution, stating the US financial institution’s loan to the victim was confirmed and could be accessed through an application which appeared to represent the US financial institution.”
The threat actors hosted the fake Windows application on a fraudulent domain registered by the threat actors before the attack and impersonating Truist.
Other US and UK financial institutions (e.g., MayBank, FNB America, and Cumberland Private) seem to have also been impersonated in this spear-phishing campaign.
Malware with information-exfiltration capabilities
To increase their attacks’ success rate, the attackers used malware currently undetected by anti-malware engines on VirusTotal.
The malware deployed after recipients download and install the malicious executable in the spear-phishing emails connects to the secureportal(.)online domain.
As further detailed on the VirusTotal page for the malware sample shared by the FBI, the attackers can use the malware to log keystrokes and take screenshots of the victims’ screens.
According to VirusTotal, the malware’s list of capabilities includes:
- Privilege escalation
- Communications over UDP network
- System registry manipulation
- Screenshot grabbing
- Listening for incoming communication
- Running a keylogger
- Communicating using DNS
- File downloader/dropper
- Communications over HTTP
- Code injection with CreateRemoteThread in a remote process
Last month, world-leading employment agency Michael Page was impersonated in a similar phishing campaign attempting to infect recipients with Ursnif data-stealing malware capable of harvesting credentials and sensitive data from infected computers.
