Fake emails from HSBC with attached Payment_advice.zip contains trojan


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “Payment Advice – Advice Ref:[B32454525694]”. Please note that the numbers used in the subject and mail from may vary.

The email is send from the spoofed address “payment.advice@hsbc.com.hk <payment.advice.388713670.941822.0485297616@mail.hsbc.com.hk>” and has the following body:

Sir/Madam

Upon your request, attached please find payment e-Advice for your reference.

Yours faithfully

HSBC

***************************************************************************

We maintain strict security standards and procedures to prevent unauthorised access to information about you. HSBC will never contact you by e-mail or otherwise to ask you to validate personal information such as your user ID, password, or account numbers. If you receive such a request, please call our Direct Financial Services hotline.

Please do not reply to this e-mail. Should you wish to contact us, please send your e-mail to commercialbanking@hsbc.com.hk and we will respond to you.

Note: it is important that you do not provide your account or credit card numbers, or convey any confidential information or banking instructions, in your reply mail.

Copyright. The Hongkong and Shanghai Banking Corporation Limited 2005. All rights reserved.

***************************************************************************

The attached ZIP file has the name Payment_Advice.zip and contains the 96 kB large file Payment_Advice.exe.

The trojan is known as W32/Trojan.IWRE-9169, PWS.Win32.Fareit.AMN (A), W32/Yakes.B!tr, Trojan.Agent.RVGen5.

At the time of writing, 11 of the 46 AV engines did detect the trojan at Virus Total.

Virus Total permalink and SHA256: ea92af5486f6b8039b0f2193666ea8604d54d5cc9e7f37f7396a8b6f2baa3260.

4 thoughts on “Fake emails from HSBC with attached Payment_advice.zip contains trojan

  1. so yesterday we were hit with the UPS Express Mail delivery Notification Email and now our law firm is crashed and today we got acall from our High Speed internet provider BrightHouse about spoof emails that are coming from our IP address which are the HSBC one above
    Any help you can offer ?

  2. Today we received 2 e-mails from the same e-mail address: payment.advice@hsbc.com.hk. with the same body and attachment as stated above. We are law firm in Belgrade, Serbia and as I can see from the To: line in one of these e-mails, they were sent to numerous e-mail addresses of the same provider.

  3. You have a new e-Message from HSBC.co.uk

    This e-mail has been sent to you to inform you that we were unable to process your most recent payment.

    Please check attached file for more detailed information on this transaction.

    Pay To Account Number: **********27
    Due Date: 25/05/2013
    Amount Due: $ 664.63

    IMPORTANT: The actual delivery date may vary from the Delivery by date estimate. Please make sure that there are sufficient available funds in your account to cover your payment
    beginning a few days before Delivery By date estimate and keep such funds available until the payment is deducted from your account.

    If we fail to process a payment in accordance with your properly completed instructions, we will reimburse you any late-payment-related fees.

    Copyright HSBC 2013. All rights reserved. No endorsement or approval of any third parties or their advice, opinions, information, products or services is expressed or implied by any information on this Site or by any hyperlinks to or from any third party websites or pages. Your use of this website is subject to the terms and conditions governing it. Please read these terms and conditions before using the website..

Comments are closed.