Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

HSBC Users Targeted With Fake Security Software

A recent spam campaign impersonating UK-based banking giant HSBC is attempting to distribute malware masquerading as legitimate security software, Symantec researchers warn.

A recent spam campaign impersonating UK-based banking giant HSBC is attempting to distribute malware masquerading as legitimate security software, Symantec researchers warn.

The spam emails were designed look as though they had been sent by HSBC, and even display an “@hsbc.com” email address. The messages claim to be distributing malware detection software Rapport from Trusteer (acquired by IBM in 2013), which is a legitimate security program designed to protect online bank accounts from fraud. However, users are being connected to a malicious information stealing application instead. What’s more, the malware uses Windows GodMode to keep itself hidden on the compromised machines, the researchers say.

The spam messages feature security advisory information and eco-friendly messaging, in an attempt to look more convincing. The email even warns recipients against opening attachments from unknown or non-trustworthy sources, but also includes a series of elements that clearly suggest it isn’t as legitimate as it pretends to be.

For example, the email subject line features the phrase “Payment Advice” followed by a large gap and then 10 random characters, the language and sentence structure in the email are suspicious, with some not making sense at all, and the email has a “virus detection software” as attachment, and not “payment advice,” as claimed. Moreover, the email features a .7z attachment, which legitimate emails wouldn’t (legitimate emails wouldn’t deliver antivirus software either).

The .7z file includes the fake Rapport executable and an Instruction.jar file. When executed, the malware creates a folder for itself, and then hides it by leveraging the Windows GodMode (also known as Windows Master Control Panel shortcut, it offers access to various control settings in some Windows variants, and various malware families have been abusing it for persistency).

After a successful infection, the malware modifies registry entries (to disable notifications) and a series of system tools, in an attempt to shield itself. Next, the Trojan starts the communication with the command and control (C&C) server, allowing the remote attacker to steal information from the compromised machine.

The spam run was active for 24 hours from February 10 through February 11, but Symantec suggests that it could be part of a larger campaign, given that similar themed HSBC themed emails mentioning payment advice have been observed on other occasions (with emails were featuring Themida-packed information-stealing malware), Symantec says.

Last year, a spam campaign was observed spreading Panda Banker and abusing HSBC’s name (and the name of other institutions, depending on the targeted users), while a more recent attack was distributing the Adwind RAT via emails supposedly coming from the HSBC Advising Service (from the mail.hsbcnet.hsbc.com domain).

Related: Keylogger, Bitcoin Stealer Dropped via Fake Bank Transfer Emails

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Cybercrime

Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...

Malware & Threats

Norway‎-based DNV said a ransomware attack on its ship management software impacted 1,000 vessels.

Cyberwarfare

Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.