HSBC customers, watch what you execute on your PCs. A circulating malicious spam campaign attempts to socially engineer you into thinking that you’ve received a legitimate ‘payment e-Advice’. In reality, once you execute the attachment, your PC automatically joins the botnet operated by the cybercriminal(s) behind the campaign.
Sample screenshot of the spamvertised email:
Detection rate for the spamvertised attachment: MD5: 2fbf89a24a43e848b581520d8a1fab27 – detected by 24 out of 47 antivirus scanners as Trojan.Win32.Bublik.blgc.
Once executed, the sample starts listening on ports 3670 and 6652.
It creates the following Mutexes on the affected hosts:
Local\{B0B9FAFD-CA9C-4B54-DBC9-BE58FA349D4A}
Local\{B0B9FAFC-CA9D-4B54-DBC9-BE58FA349D4A}
Local\{D15F4CEE-7C8F-2AB2-DBC9-BE58FA349D4A}
Local\{D15F4CE9-7C88-2AB2-DBC9-BE58FA349D4A}
Local\{0BB5ADEF-9D8E-F058-DBC9-BE58FA349D4A}
Local\{911F9FCD-AFAC-6AF2-DBC9-BE58FA349D4A}
Global\{2E06BA86-8AE7-D5EB-DBC9-BE58FA349D4A}
Global\{B0B9FAFD-CA9C-4B54-DBC9-BE58FA349D4A}
Global\{B0B9FAFC-CA9D-4B54-DBC9-BE58FA349D4A}
Global\{D15F4CEE-7C8F-2AB2-DBC9-BE58FA349D4A}
Global\{D15F4CE9-7C88-2AB2-DBC9-BE58FA349D4A}
Global\{0BB5ADEF-9D8E-F058-DBC9-BE58FA349D4A}
Global\{BB67AFC4-9FA5-408A-DBC9-BE58FA349D4A}
Global\{572F15AA-25CB-ACC2-11EB-B06D3016937F}
Global\{572F15AA-25CB-ACC2-75EA-B06D5417937F}
Global\{572F15AA-25CB-ACC2-4DE9-B06D6C14937F}
Global\{572F15AA-25CB-ACC2-65E9-B06D4414937F}
Global\{572F15AA-25CB-ACC2-89E9-B06DA814937F}
Global\{572F15AA-25CB-ACC2-BDE9-B06D9C14937F}
Global\{572F15AA-25CB-ACC2-51E8-B06D7015937F}
Global\{572F15AA-25CB-ACC2-81E8-B06DA015937F}
Global\{572F15AA-25CB-ACC2-FDE8-B06DDC15937F}
Global\{572F15AA-25CB-ACC2-0DEF-B06D2C12937F}
Global\{572F15AA-25CB-ACC2-5DEF-B06D7C12937F}
Global\{572F15AA-25CB-ACC2-95EE-B06DB413937F}
Global\{572F15AA-25CB-ACC2-F1EE-B06DD013937F}
Global\{572F15AA-25CB-ACC2-89EB-B06DA816937F}
Global\{572F15AA-25CB-ACC2-F9EF-B06DD812937F}
Global\{572F15AA-25CB-ACC2-E5EF-B06DC412937F}
Global\{572F15AA-25CB-ACC2-0DEE-B06D2C13937F}
Global\{572F15AA-25CB-ACC2-09ED-B06D2810937F}
Global\{572F15AA-25CB-ACC2-51EF-B06D7012937F}
Global\{572F15AA-25CB-ACC2-35EC-B06D1411937F}
Global\{572F15AA-25CB-ACC2-29EF-B06D0812937F}
Global\{DDB39BDC-ABBD-265E-DBC9-BE58FA349D4A}
Then drops MD5: 5df5b7fe7ee73b55362abdb4fa3b95ba ; MD5: 01c1e2b13d9c177b8891f27ae06ed5c2 and MD5: cb7a5b65aac7de310a396d7458700f37 on the affected hosts.
It then phones back to the following C&C servers:
cardiffpower.com – 64.50.166.122
64.50.166.122
95.101.0.155
95.104.85.196
99.114.99.151
172.245.217.122
192.95.59.51
93.199.59.166
120.151.247.221
75.99.113.250
92.22.42.26
188.124.212.94
93.180.110.180
200.91.49.183
98.164.247.13
177.64.175.59
46.49.119.78
173.194.65.106
173.194.65.94
46.49.107.136
84.59.129.23
93.172.48.237
108.230.237.240
190.149.31.42
Webroot SecureAnywhere users are proactively protected from these threats.