SINOWAL Attempts To Disable Rapport, Aid ZBOT

The year might be coming to a close but we’re still seeing our 2013 predictions come true. We encountered an attack that featured an old malware with new routines. This malware, detected as BKDR_SINOWAL.COP specifically attempts to disable the Rapport software from Trusteer.

Figure 1. Code that looks for the Trusteer Rapport module

Rapport is software that protects users from phishing and man-in-the-browser (MitB) attacks. It is frequently provided to users by their banks to improve their security. If the attacker succeeded in disabling Rapport, users would be more vulnerable to man-in-the-browser attacks, which are frequently used by banking malware.

A side note: we have been in contact with Trusteer regarding this threat, and they have confirmed that it does not succeed in disabling Rapport, so users are not at increased risk.

However, BKDR_SINOWAL.COP does not have the ability to perform MitB attacks by itself. This means that it requires a plugin component or another malware to successfully perform this type of attack.

Feedback from the Smart Protection Network (SPN) shows that the attack arrived as an email attachment. This attachment is a compressed file which contains a variant of BKDR_ANDROM malware, detected as BKDR_ANDROM.LSK. This malware will drop and execute both the SINOWAL malware and TSPY_ZBOT.IRF.

Figure 2. SINOWAL routine

Knowing this, we can say that the attacker intended to make ZBOT’s MitB routine (via web injects) more successful by using BKDR_SINOWAL’s capability to disable software that prevents that specific attack.

This threat shows how different threats can work together to increase their effectiveness in carrying out their malicious activities, like stealing information. We already detect the malware associated with this attack.

The following are the SHA1 hashes of the files that are related to this threat: