URL in fake email from HSBC Payment Advice leads to obfuscated malicious Javascript


MX Lab, http://www.mxlab.eu, started to intercept a campaign by email with the subject “Payment Advice – Advice Ref:[GB363536] / CHAPS credits” where the obfusctaed Javascript technique is being used to infect a computer with a trojan or other malware.

This email is send from the spoofed address “HSBC Advising Service <bank@hsbci.co.uk>” and has the following body:

Sir/Madam,

Please download document from server, payment advice is issued at the request of our customer. The advice is for your reference only.

Download link:

hxxp://broadtech.co/HSBC.BANK_STORAGE_DATA/secure-document.html

Yours faithfully,
Global Payments and Cash Management
HSBC

***************************************************************************

This is an auto-generated email, please DO NOT REPLY. Any replies to this email will be disregarded.

***************************************************************************
Security tips

1. Install virus detection software and personal firewall on your computer. This software needs to be updated regularly to ensure you have the latest protection.
2. To prevent viruses or other unwanted problems, do not open attachments from unknown or non-trustworthy sources.
3. If you discover any unusual activity, please contact the remitter of this payment as soon as possible.

*******************************************************************
This e-mail is confidential. It may also be legally privileged. If you are not the addressee you may not copy, forward, disclose
or use any part of it. If you have received this message in error, please delete it and all copies from your system and notify the
sender immediately by return e-mail.

Internet communications cannot be guaranteed to be timely, secure, error or virus-free. The sender does not accept liability
for any errors or omissions.
*******************************************************************
“SAVE PAPER – THINK BEFORE YOU PRINT!”

The embedded URL leads to the site hxxp://broadtech.co/HSBC.BANK_STORAGE_DATA/secure-document.html and simply shows the following content on screen:

just like dont away leave

creature thing kept minute then take theyre kill murder words

caught some fish steam straightenin hold into sure last time

creature steam again dont loud time

difficulty queer undoing child murder

thought snorting made knot this kill behind

shaped fish thing doubling again sneezing grunt

shaped when that made then dont reply

much nursing knot then left take this behind

queer like star thought itself left

Alice engine which this Dont

steam doubling straightenin dont wouldnt

held again sort foot undoing murder

caught held doubling minute then grunted

queer steam straightenin that wouldnt behind loud sneezing

with held thought soon which twist into keep theyre Dont

doubling altogether keep theyre behind

When looking in the HTML code, a Javascript is called from another host hxxp://dgntransport.pl/js/jquery-1.40.15.js. The code shown is too short to be a real JQuery Javascript.

When opening  this Javascript in a reader we have an obfusctaed Javascript:

$=~[];$={___:++$,$$$$:(![]+””)[$],__$:++$,$_$_:(![]+””)[$],_$_:++$,$_$$:({}+””)[$],$$_$:($[$]+””)[$],_$$:++$,$$$_:(!””+””)[$],$__:++$,$_$:++$,$$__:({}+””)[$],$$_:++$,$$$:++$,$___:++$,$__$:++$};$.$_=($.$_=$+””)[$.$_$]+($._$=$.$_[$.__$])+($.$$=($.$+””)[$.__$])+…….. CUT……

At the time of writing, 1 of the 62 AV engines did detect the malicious Javascript at Virus Total. Visit Virus Total for more detailed information.