Malware in Fake HSBC Payment Advisory Spreading via Spam
This email purports to be a payment advice from Global Payments and Cash Management at HSBC. The ‘auto-generated’ email suggests that you open an attached file to view the payment advice document.
However, the email is not from HSBC and the attachment does not contain a payment advice document.
If you open the attached Microsoft Word File, you will be prompted to enable macros, ostensibly as a security measure. If you do allow macros, a malicious macro will run in the background. The macro will download and install malware on your computer.
HSBC customers, and online banking users in general, are targets of phishing and online banking scams always. The spammed message we have seen targeting HSBC users poses as a reply to a supposedly earlier mail request from the recipient. The payment advice that is being referred to in the mail is an attachment, which Trend Micro detects as TROJ_UPATRE.YYSK.
Extracting the attachment leads the unsuspecting user to a file named CashPro, which looks like a PDF file. However, upon further checking, the attachment is actually the UPATRE malware. UPATRE is known to gather computer information. It is also known to download/be distributed with information theft malware such as ZBOT and DYRE.
Trend Micro products effectively blocks this malicious spam and its attachment.
What is HSBC Email Virus?
“HSBC Email Virus” is another spam email campaign similar to ADP Invoice, Barclays Secured Message, Sage Invoice, and many others. This campaign is designed to distribute a trojan-type virus called TrickBot. The emails essentially state that the a money payment has not been processed and encourages users to open an attached MS Word document for more information. This is a scam – once opened, the attachment stealthily downloads and installs malware.
How did HSBC Email Virus infect my computer?
As mentioned above, “HSBC Email Virus” distributes a malicious MS Word document. After opening this file, users are encouraged to enable macro commands (otherwise the content will not be displayed properly), however, this is a trick – by enabling macros, users allow the document to execute commands that stealthily download and install TrickBot. This distribution method, however, has a major flaw – documents are able to download malware only if the user opens them using the MS Word program. Therefore, if the file is opened using any other app, malware will not be downloaded. Furthermore TrickBot targets the Microsoft Windows Operating System only – if you are using another platform, you are safe.
How to avoid installation of malware?
Lack of knowledge and careless behavior are the main reasons for computer infections – the key to safety is caution. Therefore, it is very important to pay close attention when browsing the Internet. Think twice before opening email attachments. If the file seems irrelevant or has been received from a suspicious email address, it should never be opened. 2010 and newer MS Office versions are developed to open new documents in “Protected View” mode. This prevents download and installation of malware. Therefore, using old versions is risky. We also strongly recommend that you have a reputable anti-virus/anti-spyware suite installed and running. If you have already opened “HSBC Email Virus” attachment, we recommend running a scan with Malwarebytes for Windows to automatically eliminate infiltrated malware.