Fake email from HSBC Advising Service leads to malware

MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “Payment Advice – Advice Ref:[GB659898] / CHAPS credits” (number in subject will vary).

This email is send from the spoofed address “HSBC Advising Service <advising.service@hsbc.com>” and has the following body:


Please download document from dropbox, payment advice is issued at the request of our customer. The advice is for your reference only.

Download link:


Yours faithfully,
Global Payments and Cash Management


This is an auto-generated email, please DO NOT REPLY. Any replies to this email will be disregarded.

Security tips

1. Install virus detection software and personal firewall on your computer. This software needs to be updated regularly to ensure you have the latest protection.
2. To prevent viruses or other unwanted problems, do not open attachments from unknown or non-trustworthy sources.
3. If you discover any unusual activity, please contact the remitter of this payment as soon as possible.

This e-mail is confidential. It may also be legally privileged. If you are not the addressee you may not copy, forward, disclose
or use any part of it. If you have received this message in error, please delete it and all copies from your system and notify the
sender immediately by return e-mail.

Internet communications cannot be guaranteed to be timely, secure, error or virus-free. The sender does not accept liability
for any errors or omissions.

In this sample, the embedded URl directs us to hxxp://paparellalogistica.it/banking/document.php where the file documentXXX.zip (name contains number that will vary) is downloaded.

The trojan is known as Upatre-FAAJ!BADD639EC640, HB_Arkam or Virus.Win32.Heur.c.

The trojan will create a new service gtpwz.exe on the system, modify some Windows registry and can connect to the IP on port 33294 and 33321 for outbound traffic.

At the time of writing, 5 of the 53 AV engines did detect the trojan at Virus Total.

Use the Virus Total permalink or Malwr permalink for more detailed information.
SHA256: 2ed5903942b5299ea69183aa040343338d220b66742c510c0895766fe0b70b9a

5 thoughts on “Fake email from HSBC Advising Service leads to malware

  1. I had 2 such emails today and sent them to “phishing@hsbc.com” which i suggest you all do if you get email.DO NOT CLICK ON LINK

  2. I receive them daily – as soon as I delete them a new one is coming after approx. 5 minutes, even after blocked them for several times.

    What to do?

Comments are closed.