Recent Webinar: Building an Adaptive Cyber Resilient Cloud
arrow-white arrow-white Watch now
close

New Info-Stealing Trojan Spotted in HSBC Malspam Campaign

Posted by Roy Moshailov on May 9, 2018
Find me on:

New Trojan

On the 12th of April, Morphisec, identified and prevented a major wave of malspam purporting to be from HSBC Bank. The phishing campaign targeted several industrial manufacturing and service enterprises in Asia, using standard but still often effective social engineering tactics. The malicious email delivered a sophisticated info-stealing trojan via a weaponized ISO attachment. ISO files are a type of image archive format used for optical disk images, which can be opened using WinRAR and other programs.

A similar campaign, most likely by the same crime group, was observed at the end of 2017, but that one delivered the HSBC Bank trojan. This new trojan is significantly more sophisticated. The HSBC name has been used in numerous email scams over the past several years, some specifically aimed at HSBC customers and others, like this one, capitalizing on HSBC’s name recognition to lure other targets.

Attack Flow

Email pretending to come from HSBC Bank Advice, displaying an @hsbc.com email address to appear more legitimate.

HSBC Bank trojan

The attachment was an ISO file containing a Windows executable, which opens the trojan.

The extracted executable trojan uses multiple techniques to evade detection and make analysis difficult. This campaign leverages process injection technique; allocate RWE memory and write the malicious code insensitive process to steal sensitive credentials (use ZwAllocateVirtualMemory, NtWriteVirtualMemory and RtlCreateUserThread useful functions API); check for debugger; and reads data related to saved browser credentials.

New Info-Stealing Trojan

Check for Sandboxie dll module exists(SbieDll.dll):

trojan protection

Check if Kaspersky AV exists (pva.exe):

information stealing trojan

Decoded API functions (see the comment for the decrypted function):

Info-Stealing Trojan

How Does Morphisec Protect You From This Attack?

Morphisec prevents the trojan executable before it can perform any malicious activity. Morphisec customers are and have always been protected from the trojan out of the box, no updates needed

Artifacts:

Extracted Executable -ca7a048f9b706415830fa5fa1332ea6437ad5761d2fca77594f8387f76f1f9fe

New Call-to-action