On the 12th of April, Morphisec, identified and prevented a major wave of malspam purporting to be from HSBC Bank. The phishing campaign targeted several industrial manufacturing and service enterprises in Asia, using standard but still often effective social engineering tactics. The malicious email delivered a sophisticated info-stealing trojan via a weaponized ISO attachment. ISO files are a type of image archive format used for optical disk images, which can be opened using WinRAR and other programs.
A similar campaign, most likely by the same crime group, was observed at the end of 2017, but that one delivered the Netwire trojan. This trojan is significantly more sophisticated. The HSBC name has been used in numerous email scams over the past several years, some specifically aimed at HSBC customers and others, like this one, capitalizing on HSBC’s name recognition to lure other targets.
Email pretending to come from HSBC Bank Advice, displaying an @hsbc.com email address to appear more legitimate.
The attachment was an ISO file containing a Windows executable, which opens the trojan.
The extracted executable trojan uses multiple techniques to evade detection and make analysis difficult. This campaign leverages process injection technique; allocate RWE memory and write the malicious code in sensitive process to steal sensitive credentials (use ZwAllocateVirtualMemory, NtWriteVirtualMemory and RtlCreateUserThread useful functions API); check for debugger; and reads data related to saved browser credentials.
Check for Sandboxie dll module exists(SbieDll.dll):
Check if Kaspersky AV exists (pva.exe):
Decoded API functions (see the comment for the decrypted function):
How Does Morphisec Protect You From This Attack?
Morphisec prevents the trojan executable before it can perform any malicious activity. Morphisec customers are and have always been protected from the trojan out of the box, no updates needed
Extracted Executable -ca7a048f9b706415830fa5fa1332ea6437ad5761d2fca77594f8387f76f1f9fe