Thursday, 15 January 2015

Payment Advice - Advice Ref HSBC Advising Service malware

Payment Advice - Advice Ref HSBC Advising Service malware in the form of a html email, with a link to auto-download a ZIP file.  {Bankline.Administrator@nutwest.com}

WARNING: downloaded zip file is reported as: Cryptolocker.Suspicious by QuickHeal Anti-Virus (not confirmed)

Headers: (Note: The Ref. is Random)
From: "HSBC Advising Service" {Bankline.Administrator@nutwest.com}
Subject: Payment Advice - Advice Ref:[GB109055] / CHAPS credits

Message body:

Sir/Madam,

Please download document from dropbox, payment advice is issued at the
request of our customer. The advice is for your reference only.

Download link:

http://www.bosleymanagement DOT com/NATWEST_RELEASES/bankline.html

Yours faithfully,
Global Payments and Cash Management
HSBC

This is an auto-generated email, please DO NOT REPLY. Any replies to
this email will be disregarded.

Security tips

1. Install virus detection software and personal firewall on your
computer. This software needs to be updated regularly to ensure you have
the latest protection.
2. To prevent viruses or other unwanted problems, do not open
attachments from unknown or non-trustworthy sources.
3. If you discover any unusual activity, please contact the remitter of
this payment as soon as possible.

*******************************************************************
This e-mail is confidential. It may also be legally privileged. If you
are not the addressee you may not copy, forward, disclose
or use any part of it. If you have received this message in error,
please delete it and all copies from your system and notify the
sender immediately by return e-mail.

Internet communications cannot be guaranteed to be timely, secure, error
or virus-free. The sender does not accept liability
for any errors or omissions.
*******************************************************************
"SAVE PAPER - THINK BEFORE YOU PRINT!"
The auto-downloaded Zip file is: (Note: the downloaded filename is random)
doc140_pdf.zip

On the Windows machine, Inside the zip, is Windows executable (Note the dual extension)
doc726_pdf.exe

Md5 Hashes:
ac5bcb9d2d7f2dc9e36649f25232ee7f
10f19f8b9fba32aa2d53bcf48e277c67
bb983668e38ab0bd7ca93b42850b0e8f
Malware Information:
VirusTotal Report [1] (hits 5/57 Virus Scanners)
VirusTotal Report [2] (hits 5/57 Virus Scanners)

Joti Report [2] (hits 3/22 Virus Scanners)

Malwr Report [1]
Malwr Report [2]

Summary:

Error: Analysis failed: The package "modules.packages.zip" start function raised an error: Unable to execute the initial process, analysis aborted.

Sanesecurity signatures are blocking this as: Sanesecurity.Malware.24688

Cheers,

Steve
Sanesecurity.com

12 comments:

Anonymous said...

Just seen a big bunch of these come in, around 3pm (uk time).

Peter Lammas said...

just had ten of these in last twenty mins
thanks for your info

Anonymous said...

Me too, around 5 emails within the past half hour. Just reported them to godaddy

Anonymous said...

Just had 4 of these came in like 10 mins. Do NOT open !

Anonymous said...

Can this file auto download to a Mac?

Becky said...

13 of these in a space of 10 minutes!

Anonymous said...

Me too, six in the last ten min.

Anonymous said...

Just had over 50 to two separate and unrelated accounts. Reported to phishing@hsbc.com

Clif Watson said...

Yep, I've ben getting quite a few of these since yesterday the 14th of January and today, the 15th.

Anonymous said...

We just received about 150 of these since yesterday.

Anonymous said...

Looking in to it these scum bags have at least 6 different domains they are using for the scam. Fake company sites seem to be the hosts for the naughty files, with a godaddy domain sending the emails, I have already called go daddy and forwarded the email to them, sick to death of these absolute bottom feeders, is there any way somebody can reveal who these people are?? We have had multiple attempts on our company, totally sick to death of it

Anonymous said...

>Just seen a big bunch of these come in, around 3pm (uk time).

We had a bunch of them between 8AM and 9AM CST, which would be between 2PM and 3PM UK time.