New Info-Stealing Trojan Spotted in HSBC Malspam Campaign

Posted by Roy Moshailov on May 9, 2018 at 5:38 PM
Roy Moshailov
Find me on:

trojan

On the 12th of April, Morphisec, identified and prevented a major wave of malspam purporting to be from HSBC Bank. The phishing campaign targeted several industrial manufacturing and service enterprises in Asia, using standard but still often effective social engineering tactics. The malicious email delivered a sophisticated info-stealing trojan via a weaponized ISO attachment. ISO files are a type of image archive format used for optical disk images, which can be opened using WinRAR and other programs.

A similar campaign, most likely by the same crime group, was observed at the end of 2017, but that one delivered the Netwire trojan. This trojan is significantly more sophisticated. The HSBC name has been used in numerous email scams over the past several years, some specifically aimed at HSBC customers and others, like this one, capitalizing on HSBC’s name recognition to lure other targets.

Attack Flow

Email pretending to come from HSBC Bank Advice, displaying an @hsbc.com email address to appear more legitimate.

HSBC_1

The attachment was an ISO file containing a Windows executable, which opens the trojan.

The extracted executable trojan uses multiple techniques to evade detection and make analysis difficult. This campaign leverages process injection technique; allocate RWE memory and write the malicious code in sensitive process to steal sensitive credentials (use ZwAllocateVirtualMemory, NtWriteVirtualMemory and RtlCreateUserThread useful functions API); check for debugger; and reads data related to saved browser credentials.

HSBC_2

Check for Sandboxie dll module exists(SbieDll.dll):

HSBC_3

Check if Kaspersky AV exists (pva.exe):

HSBC_4

Decoded API functions (see the comment for the decrypted function):

HSBC_5

How Does Morphisec Protect You From This Attack?

Morphisec prevents the trojan executable before it can perform any malicious activity. Morphisec customers are and have always been protected from the trojan out of the box, no updates needed

Artifacts:

Extracted Executable -ca7a048f9b706415830fa5fa1332ea6437ad5761d2fca77594f8387f76f1f9fe

New Call-to-action 

Topics: Research, Attack Analysis, Threat Profile, Malspam

Welcome to our Blog

Keeping you in the loop with company updates, industry insight, cyber security trends, and cyber attack information.

Subscribe to the blog

Morphisec Named a Cool Vendor 2016

Morphisec is a Gartner Cool Vendor 2016

Each year Gartner identifies new Cool Vendors it considers innovative or transformative. Morphisec is honored be to named a Cool Vendor 2016. Here's more....

 

Recent Posts

Most Popular Posts