Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

HSBC Users Targeted With Fake Security Software

A recent spam campaign impersonating UK-based banking giant HSBC is attempting to distribute malware masquerading as legitimate security software, Symantec researchers warn.

A recent spam campaign impersonating UK-based banking giant HSBC is attempting to distribute malware masquerading as legitimate security software, Symantec researchers warn.

The spam emails were designed look as though they had been sent by HSBC, and even display an “@hsbc.com” email address. The messages claim to be distributing malware detection software Rapport from Trusteer (acquired by IBM in 2013), which is a legitimate security program designed to protect online bank accounts from fraud. However, users are being connected to a malicious information stealing application instead. What’s more, the malware uses Windows GodMode to keep itself hidden on the compromised machines, the researchers say.

The spam messages feature security advisory information and eco-friendly messaging, in an attempt to look more convincing. The email even warns recipients against opening attachments from unknown or non-trustworthy sources, but also includes a series of elements that clearly suggest it isn’t as legitimate as it pretends to be.

For example, the email subject line features the phrase “Payment Advice” followed by a large gap and then 10 random characters, the language and sentence structure in the email are suspicious, with some not making sense at all, and the email has a “virus detection software” as attachment, and not “payment advice,” as claimed. Moreover, the email features a .7z attachment, which legitimate emails wouldn’t (legitimate emails wouldn’t deliver antivirus software either).

The .7z file includes the fake Rapport executable and an Instruction.jar file. When executed, the malware creates a folder for itself, and then hides it by leveraging the Windows GodMode (also known as Windows Master Control Panel shortcut, it offers access to various control settings in some Windows variants, and various malware families have been abusing it for persistency).

After a successful infection, the malware modifies registry entries (to disable notifications) and a series of system tools, in an attempt to shield itself. Next, the Trojan starts the communication with the command and control (C&C) server, allowing the remote attacker to steal information from the compromised machine.

The spam run was active for 24 hours from February 10 through February 11, but Symantec suggests that it could be part of a larger campaign, given that similar themed HSBC themed emails mentioning payment advice have been observed on other occasions (with emails were featuring Themida-packed information-stealing malware), Symantec says.

Last year, a spam campaign was observed spreading Panda Banker and abusing HSBC’s name (and the name of other institutions, depending on the targeted users), while a more recent attack was distributing the Adwind RAT via emails supposedly coming from the HSBC Advising Service (from the mail.hsbcnet.hsbc.com domain).

Advertisement. Scroll to continue reading.

Related: Keylogger, Bitcoin Stealer Dropped via Fake Bank Transfer Emails

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

The City of Phoenix has promoted Mitch Kohlbecker to the role of Chief Information Security Officer.

Gigamon has promoted Tony Jarjoura to CFO and Ram Bhide has been hired as Senior VP of engineering.

Cloud security firm Mitiga has appointed Charlie Thomas as Chief Executive Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.