A recent spam campaign impersonating UK-based banking giant HSBC is attempting to distribute malware masquerading as legitimate security software, Symantec researchers warn.
The spam emails were designed look as though they had been sent by HSBC, and even display an "@hsbc.com" email address. The messages claim to be distributing malware detection software Rapport from Trusteer (acquired by IBM in 2013), which is a legitimate security program designed to protect online bank accounts from fraud. However, users are being connected to a malicious information stealing application instead. What’s more, the malware uses Windows GodMode to keep itself hidden on the compromised machines, the researchers say.
The spam messages feature security advisory information and eco-friendly messaging, in an attempt to look more convincing. The email even warns recipients against opening attachments from unknown or non-trustworthy sources, but also includes a series of elements that clearly suggest it isn’t as legitimate as it pretends to be.
For example, the email subject line features the phrase “Payment Advice” followed by a large gap and then 10 random characters, the language and sentence structure in the email are suspicious, with some not making sense at all, and the email has a “virus detection software” as attachment, and not “payment advice,” as claimed. Moreover, the email features a .7z attachment, which legitimate emails wouldn’t (legitimate emails wouldn’t deliver antivirus software either).
The .7z file includes the fake Rapport executable and an Instruction.jar file. When executed, the malware creates a folder for itself, and then hides it by leveraging the Windows GodMode (also known as Windows Master Control Panel shortcut, it offers access to various control settings in some Windows variants, and various malware families have been abusing it for persistency).
After a successful infection, the malware modifies registry entries (to disable notifications) and a series of system tools, in an attempt to shield itself. Next, the Trojan starts the communication with the command and control (C&C) server, allowing the remote attacker to steal information from the compromised machine.
The spam run was active for 24 hours from February 10 through February 11, but Symantec suggests that it could be part of a larger campaign, given that similar themed HSBC themed emails mentioning payment advice have been observed on other occasions (with emails were featuring Themida-packed information-stealing malware), Symantec says.
Last year, a spam campaign was observed spreading Panda Banker and abusing HSBC’s name (and the name of other institutions, depending on the targeted users), while a more recent attack was distributing the Adwind RAT via emails supposedly coming from the HSBC Advising Service (from the mail.hsbcnet.hsbc.com domain).