HSBC Email Virus

Also Known As: HSBC bank virus
Type: Trojan
Distribution: Moderate
Damage level: Severe

HSBC Email Virus removal guide

What is HSBC Email Virus?

"HSBC Email Virus" is another spam email campaign similar to ADP Invoice, Barclays Secured Message, Sage Invoice, and many others. This campaign is designed to distribute a trojan-type virus called TrickBot. The emails essentially state that the a money payment has not been processed and encourages users to open an attached MS Word document for more information. This is a scam - once opened, the attachment stealthily downloads and installs malware.

HSBC Email Virus malware

Firstly, HSBC is one of the largest banks in the world and has nothing to do with this spam campaign. Cyber criminals simply hide behind the name to trick unsuspecting users into opening the attachment. As mentioned above, the email states that a payment cannot be processed and encourages the user to open the attached document and perform a number of steps to resolve this issue. As mentioned, this is a scam. Cyber criminals use the names of legitimate companies and governmental agencies, since it is much simpler to trick users into opening files received from people or companies with familiar names (in this case, a large bank). TrickBot is a very dangerous virus. After system infiltration, it hijacks browsers and modifies visited websites so that entered logins/passwords are sent to a remote server controlled by TrickBot's developers. Therefore, cyber criminals might gain access to users' private accounts, including social networks, banks, and so on. Cyber criminals aim to generate as much revenue as possible, and so there is a high probability that these people will take advantage of any information obtained. Therefore, the presence of TrickBot malware can lead to serious privacy issues and significant financial loss. If you have recently opened attachments distributed via an "HSBC Email Virus" spam campaign, you should immediately scan the system with a legitimate anti-virus/anti-spyware suite and eliminate all detected threats.

Threat Summary:
Name HSBC bank virus
Threat Type Trojan, Password stealing virus, Banking malware, Spyware
Symptoms Trojans are designed to stealthily infiltrate victim's computer and remain silent thus no particular symptoms are clearly visible on an infected machine.
Distribution methods Infected email attachments, malicious online advertisements, social engineering, software cracks.
Damage Stolen banking information, passwords, identity theft, victim's computer added to a botnet.
Malware Removal (Windows)

To eliminate possible malware infections, scan your computer with legitimate antivirus software. Our security researchers recommend using Malwarebytes.
▼ Download Malwarebytes
To use full-featured product, you have to purchase a license for Malwarebytes. 14 days free trial available.

There are many trojan-type viruses that share similarities with TrickBot (including, for example, LokiBot, Emotet, Adwind, and FormBook). As with HSBC Email Virus, these viruses are also distributed using spam email campaigns. In addition, most trojans are designed to record personal information. Some, however, proliferate other viruses (usually, ransomware). In any case, all pose a direct threat to your privacy and browsing safety.

How did HSBC Email Virus infect my computer?

As mentioned above, "HSBC Email Virus" distributes a malicious MS Word document. After opening this file, users are encouraged to enable macro commands (otherwise the content will not be displayed properly), however, this is a trick - by enabling macros, users allow the document to execute commands that stealthily download and install TrickBot. This distribution method, however, has a major flaw - documents are able to download malware only if the user opens them using the MS Word program. Therefore, if the file is opened using any other app, malware will not be downloaded. Furthermore TrickBot targets the Microsoft Windows Operating System only - if you are using another platform, you are safe.

How to avoid installation of malware?

Lack of knowledge and careless behavior are the main reasons for computer infections - the key to safety is caution. Therefore, it is very important to pay close attention when browsing the Internet. Think twice before opening email attachments. If the file seems irrelevant or has been received from a suspicious email address, it should never be opened. 2010 and newer MS Office versions are developed to open new documents in "Protected View" mode. This prevents download and installation of malware. Therefore, using old versions is risky. We also strongly recommend that you have a reputable anti-virus/anti-spyware suite installed and running. If you have already opened "HSBC Email Virus" attachment, we recommend running a scan with Malwarebytes for Windows to automatically eliminate infiltrated malware.

Text presented in the "HSBC Email Virus" email message:

Subject: Important : Troubles processing BACs payment
Good Morning,
We’re having troubles processing your request, we encountered an error processing your BACs payment.
What we need you to do
1. The documents are delivered through secure email via an attached file from HSBC. Please be aware this may be delivered to the spam folder.
2. When you open the document a message will appear saying the document requires phone verification. When you click the Send Code button, a code will be sent to your mobile phone.
3. Key that code in to the Code box on screen and select OK. You will now be able to complete the fields in the document as required.
4. Please note that the signature you upload needs to be a clear, current version of your standard signature which once added to the bank mandate can be used to authorise such account transactions as the paying away of funds.
5. Please ensure when you complete the form, that full names including any middle names are included.
6. When the final signatory has completed and signed the documents they will then be returned to me via secure email.
Yours sincerely
James Holand

Transaction Processing Specialist | Operations BACs, Faster Payments, CDD | Email: James.Holand@hsbc.co.uk

Malicious attachment distributed via "HSBC Email Virus" spam campaign:

Malicious attachment distributed through HSBC Email Virus spam campaign

Second variant of "HSBC Email Virus":

Second HSBC Email Virus campaign variant

Text presented within this email:

Subject: Incoming high value CHAPS payments

Good Morning ,

We received 2 high value CHAPS payments requests into the branch today.

Please complete and sign the attached documents and return for processing.
We require this information before we can release the payments to your account.

Thank you,

Olivia Brown BA (Hons) Cert (RBCB)
Business Banking and Wealth Management
HSBC BANK PLC HBEU
18 North Street, Leatherhead, Surrey KT22 7AR. South Region.
___________________________________________________________

Phone 08455928172
Email Olivia.Brown@hsbcemail.net

************************************************************
HSBC Bank plc
Registered Office: 8 Canada Square, London E14 5HQ
Registered in England – Number 14259
Authorised by the Prudential Regulation Authority and regulated by the
Financial Conduct Authority and the Prudential Regulation Authority
************************************************************

This E-mail is confidential

It may also be legally privileged. If you are not the addressee you may not copy, forward, disclose or use any part of it. If you have received this message in error, please delete it and all copies from your system and notify the sender immediately by return E-mail.

Internet communications cannot be guaranteed to be timely secure, error or virus-free. The sender does not accept liability for any errors or omissions.

Screenshot of the malicious attachment proliferated using the second variant of "HSBC Email Virus":

HSBC Email Virus another attachment

Third variant of "HSBC Email Virus":

HSBC Email sample 3

Text presented within this email:

Subject: Account Review

Account Review
Dear Sir/Madam

The account review files has been issued at the request of our customer, please download it from the link below:

hxxps://hsbcdocuments.net/.............

Your documents have been encrypted with the strongest encryption and a unique key, please print and sign the attached document.

Yours faithfully,
Global Payment and Cash Management
HSBC

Screenshot of the malicious attachment proliferated using the third variant of "HSBC Email Virus":

HSBC Email Virus malicious attachment (sample 3)

Yet another variant of HSBC email spam campaign:

A variant of HSBC email virus

Text presented within this email:

Good day, Our Ref: WA3AEMIDLGB31.
Find enclosed payment copy made to your company account on behalf of our client to your receiving bank dated 10/04/2019. Kindly confirm payment and client Ref details from attache' swift copy and advice accordingly.
Awaiting your confirmation
Best Regards,
David Wong Funds Transfer Dept., Business Banking, Eastern District, Commercial Banking The Hongkong and Shanghai Banking Corporation Limited (1-1SBC 14/F, Causeway Bay Plaza Two, 463-483 Lockhart Road, Causeway Bay, Hong Kong. Email: customerserviceeOhsbcpcom.hk  web: hxxps://www.hsbc.com.hk

Screenshot of the malicious Microsoft Excel attachment ("Paymentreceipt.xlsx"):

HSBC Email virus malicious attachment

Yet another variant of "HSBC" email spam campaign. This variant distributes NanoCore remote access trojan and the attachment is "swift_274456.iso", which contains "swift_274456.exe" file.

Screenshot of deceptive email:

HSBC email spam campaign distributing NanoCore trojan

Text presented within this email:

Greetings.. The attached payment advice is issued at the request of our customer. please kindly confirm your bank swift-code/account body,

we have been trying to send this funds out to you lately but it had always bounced back.

This advice is for your reference only**
Yours faithfully,

Global Payments and Cash Management

HSBC UK

Skype: rick.tev2
This is not an auto-generated email, please TAKE NOTE. Awaiting your urgent reply in order to proceed again.
Security tips

1. Install virus detection software and personal firewall on your computer. This software needs to be updated regularly to ensure you have the latest protection.

2. To prevent viruses or other unwanted problems, do not open attachments from unknown or non-trustworthy sources.

3. If you discover any unusual activity, please contact the remitter of this payment as soon as possible.

Screenshot of the malicious attachment:

HSBC email spam campaign malicious attachment swift_274456.iso

Threat Summary:
Name swift_274456.iso
Threat Type Remote access trojan, Password stealing virus, Banking malware, Spyware
Detection Names Antiy-AVL (Trojan[Dropper]/Win32.Sysn), McAfee (Artemis!9585B363E418), Microsoft (Trojan:Win32/Sonbokli.A!cl), Tencent (Win32.Trojan.Autoit.Auto), Full List (VirusTotal)
Payload NanoCore RAT
Symptoms Trojans are designed to stealthily infiltrate victim's computer and remain silent thus no particular symptoms are clearly visible on an infected machine.
Distribution methods Infected email attachments, malicious online advertisements, social engineering, software cracks.
Damage Stolen banking information, passwords, identity theft, victim's computer added to a botnet.
Malware Removal (Windows)

To eliminate possible malware infections, scan your computer with legitimate antivirus software. Our security researchers recommend using Malwarebytes.
▼ Download Malwarebytes
To use full-featured product, you have to purchase a license for Malwarebytes. 14 days free trial available.

Update September 12, 2019 - Cyber criminals have recently started using "HSBC" email spam campaign to spread Agent Tesla remote access tool (RAT) and LokiBot trojan:

Example of "HSBC" spam email spreading Agent Tesla:

HSBC Email Virus spreading Agent Tesla

Text presented within this email:

Subject: Bank Transfer Payment Notification

Attachment:  Transfer Copy swift.r00


Our Ref: HSBCT8723.

Find enclosed Hire payment proof made to your company account on behalf of our client to your receiving bank dated 10/09/2019.

Kindly confirm payment and client Ref details from attached swift Copy and advice accordingly.

Thanks and regards,
David Wong
Funds Transfer Dept.,
Business Banking, Eastern District, Commercial Banking
The Hongkong and Shanghai Banking Corporation Limited (HSBC)
14/F, Causeway Bay Plaza Two, 463-483 Lockhart Road,
Causeway Bay, Hong Kong.
Email: customerservice@hsbc.com.hk

Example of "HSBC" spam email spreading LokiBot:

HSBC Email Virus distributing LokiBot

Text presented within this email:

Subject: HSBC SWIFT - Advice Ref:[A006128204]/Customer Ref:[A002821820]

 

Attachment: HSBC SWIFT-ADVISE.ace

 

Dear Sir/Madam,

The attached payment advice is issued at the request of our customer.
The advice is for your reference only.

Yours faithfully,
Global Payments and Cash Management
HSBC

***************
This is an auto-generated email, please DO NOT REPLY. Any replies to this email will be disregarded.
***************
Security tips
1. Install virus detection software and personal firewall on your computer. This software needs to be updated regularly to ensure you have the latest protection.
2. To prevent viruses or other unwanted problems, do not open attachments from unknown or non-trustworthy sources.
3. If you discover any unusual activity, please contact the remitter of this payment as soon as possible.
***************

***************
This email is confidential. It may also be legally privileged.
If you are not the addressee you may not copy, forward, disclose or use any part of it. If you have received this message in error, please delete it and all copies from your system and notify the sender immediately by return email.
Internet communications cannot be guaranteed to be timely, secure or virus-free. The sender does not accept liability for any errors or omissions.
***************

Appearance of yet another HSBC-themed spam email which distributes TrickBot malware:

HSBC-themed spam email distributing the TrickBot malware (2020-06-29)

Text presented within:

Subject: Fwd: Re:Re:Re: proof of payment HSBC

Hello,

We have been unable to reach you with our normal email,

Attached is the proof of payment made to your bank account today,

please confirm and get back to us immediately.

Awaiting your response.

 Best Regards,

YuanXing Q.

YQUANZHOU CO. LTD

Office Address:

A- 02 Tanhuashan Industrial Area,

Yougchun County

Quanzhou City, Fuanjian

362600 China

Appearance of the malicious MS Word document attached to this email (GIF):

HSBC-themed spam email distributing a malicious MS Word attachment which injects TrickBot into the system

Yet another HSBC-themed spam email distributing a malicious attachment (MS Word document):

HSBC-themed spam email distributing a malicious attachment

Text presented within:

Subject: Fwd: Re:Re:Re: proof of payment HSBC

Hello,   

Please find attached remittance advice with respect to the payment made
towards invoices.
 
Payment instructions have been sent to the bank to release your payment.
You will receive money in your bank account as soon as bank clears the
payment.
 
This is a system generated message from HSBC Advising service.
Please Reply this mail.
 
Thanks and Regards,

Catherine Liu
Remittance Department
BANK OF CHINA
BEIJING BRANCH
A,C,E KAIHENG CENTER,
2 CHAOYANGMEN NEI DAJIE,
DONGCHENG DISTRICT,
BEIJING, CHINA
TEL:(86) 010-85121491
FAX:(86) 010-85121739
POST CODE: 10001
________
 
 
*********
This e-mail is confidential. It may also be legally privileged.
If you are not the addressee you may not copy, forward, disclose
or use any part of it. If you have received this message in error,
please delete it and all copies from your system and notify the
sender immediately by return e-mail.
 
Internet communications cannot be guaranteed to be timely,
secure, error or virus-free. The sender does not accept liability
for any errors or omissions.
*********
 
"SAVE PAPER - THINK BEFORE YOU PRINT!"

Screenshot of the attached MS Word document:

Malicious MS Word attachment distributed using HSBC-themed spam emails

A Norwegian version of HSBC-themed spam email used to spread Agent Tesla RAT. The attachment is a .img file which contains a malicious executable:

Norwegian HSBC spam email spreading Agent Tesla RAT

Text presented within:

Subject: Hasting varsel om intern betaling (MT103)

 

Kjære -

 

Den vedlagte betalingsrådmeldingen som er gitt til den mottakende banken din blir gitt på forespørsel fra vå klient, din forretningsklient. Betalingsrådgivningen er kun til referanse.
Vær oppmerksom på at dette er et raskt elektronisk varsel med detaljene oppført i vedlagte betalingsreferansefil. Bekreft betalingen med banken din.

Vennlig hilsen,
Globale betalinger og kontanthåndtering
HSBC Global Banking
Europa - Norge - WorldWide
www.hsbcbanking.com
************************************************** **********************

BO SKIKKER! BESKYTT DEG SELV FRA CORONA VIRUS
Dette er en automatisk generert e-post, IKKE SVAR. Ethvert svar på dette
e-post vil ikke bli tatt i betraktning.

Informasjonen i denne kommunikasjonen er utelukkende beregnet på personen eller enheten den er adressert til. Det kan inneholde proprietært materiale, konfidensiell informasjon og / eller væere underlagt juridiske rettigheter. Bruk og / eller distribusjon av denne kommunikasjonen av tredjepart er forbudt. Hvis du ikke er mottaker, kan du ikke kopiere, videresende, avsløre eller bruke noen del av denne meldingen, men du kan slette den permanent. Alle meninger som kommer til uttrykk i denne meldingen er av den enkelte avsender, bortsett fra når avsenderen spesifikt indikerer at de er av HSBC (Global).

HSBC (Global) og dets datterselskaper er ikke ansvarlig for tilstrekkelig og fullstendig overføring av informasjonen i denne kommunikasjonen eller for forsinkelser i mottakelsen eller for spesiell, tilfeldig eller følgeskade av noen art som følger av mottak eller bruk. av denne kommunikasjonen. Meninger, konklusjoner og annen informasjon om denne meldingen som ikke har tilknytning til Banco HSBC (Global) offisielle virksomhet, vil ikke bli forstått som gitt eller godkjent av den.

Tenk på miljøet før du skriver ut denne e-posten.

Another HSBC-themed spam email used to spread Agent Tesla RAT (the attached archive contains a malicious executable):

HSBC-themed spam email used to spread Agent Tesla RAT

Text presented within:

Subject: Fwd: Swift - Advice Ref:[GLVA15182769] / Priority payment / Customer Ref:[8000106815]

 

Dear Sir/Madam,

The attached Swift is issued at the request of our customer. The
advice is for your reference only.

Secured in ZIP file

Yours faithfully,
Global Payments and Cash Management
HSBC

****************

This is an auto-generated email, please DO NOT REPLY. Any replies
to this
email will be disregarded.

****************

Security tips

1. Install virus detection software and personal firewall on your
computer. This software needs to be updated regularly to ensure
you have the latest protection.
2. To prevent viruses or other unwanted problems, do not open
attachments from unknown or non-trustworthy sources.
3. If you discover any unusual activity, please contact the
remitter of this payment as soon as possible.

Instant automatic malware removal: Manual threat removal might be a lengthy and complicated process that requires advanced computer skills. Malwarebytes is a professional automatic malware removal tool that is recommended to get rid of malware. Download it by clicking the button below:
▼ DOWNLOAD Malwarebytes By downloading any software listed on this website you agree to our Privacy Policy and Terms of Use. To use full-featured product, you have to purchase a license for Malwarebytes. 14 days free trial available.

Quick menu:

How to remove malware manually?

Manual malware removal is a complicated task - usually it is best to allow antivirus or anti-malware programs to do this automatically. To remove this malware we recommend using Malwarebytes for Windows. If you wish to remove malware manually, the first step is to identify the name of the malware that you are trying to remove. Here is an example of a suspicious program running on a user's computer:

malicious process running on user's computer sample

If you checked the list of programs running on your computer, for example using task manager, and identified a program that looks suspicious, you should continue with these steps:

manual malware removal step 1 Download a program called Autoruns. This program shows auto-start applications, Registry, and file system locations:

screenshot of autoruns application

manual malware removal step 2Restart your computer into Safe Mode:

Windows XP and Windows 7 users: Start your computer in Safe Mode. Click Start, click Shut Down, click Restart, click OK. During your computer start process, press the F8 key on your keyboard multiple times until you see the Windows Advanced Option menu, and then select Safe Mode with Networking from the list.

Safe Mode with Networking

Video showing how to start Windows 7 in "Safe Mode with Networking":

Windows 8 users: Start Windows 8 is Safe Mode with Networking - Go to Windows 8 Start Screen, type Advanced, in the search results select Settings. Click Advanced startup options, in the opened "General PC Settings" window, select Advanced startup. Click the "Restart now" button. Your computer will now restart into the "Advanced Startup options menu". Click the "Troubleshoot" button, and then click the "Advanced options" button. In the advanced option screen, click "Startup settings". Click the "Restart" button. Your PC will restart into the Startup Settings screen. Press F5 to boot in Safe Mode with Networking.

Windows 8 Safe Mode with networking

Video showing how to start Windows 8 in "Safe Mode with Networking":

Windows 10 users: Click the Windows logo and select the Power icon. In the opened menu click "Restart" while holding "Shift" button on your keyboard. In the "choose an option" window click on the "Troubleshoot", next select "Advanced options". In the advanced options menu select "Startup Settings" and click on the "Restart" button. In the following window you should click the "F5" button on your keyboard. This will restart your operating system in safe mode with networking.

windows 10 safe mode with networking

Video showing how to start Windows 10 in "Safe Mode with Networking":

 

manual malware removal step 3Extract the downloaded archive and run the Autoruns.exe file.

extract autoruns.zip and run autoruns.exe

manual malware removal step 4In the Autoruns application, click "Options" at the top and uncheck the "Hide Empty Locations" and "Hide Windows Entries" options. After this procedure, click the "Refresh" icon.

Click 'Options' at the top and uncheck 'Hide Empty Locations' and 'Hide Windows Entries' options

manual malware removal step 5Check the list provided by the Autoruns application and locate the malware file that you want to eliminate.

You should write down its full path and name. Note that some malware hides process names under legitimate Windows process names. At this stage, it is very important to avoid removing system files. After you locate the suspicious program you wish to remove, right click your mouse over its name and choose "Delete".

locate the malware file you want to remove

After removing the malware through the Autoruns application (this ensures that the malware will not run automatically on the next system startup), you should search for the malware name on your computer. Be sure to enable hidden files and folders before proceeding. If you find the filename of the malware, remove it.

searching for malware file on your computer

Reboot your computer in normal mode. Following these steps should remove any malware from your computer. Note that manual threat removal requires advanced computer skills. If you do not have these skills, leave malware removal to antivirus and anti-malware programs. These steps might not work with advanced malware infections. As always it is best to prevent infection than try to remove malware later. To keep your computer safe, install the latest operating system updates and use antivirus software.

To be sure your computer is free of malware infections we recommend scanning it with Malwarebytes for Windows.

About the author:

Tomas Meskauskas

Tomas Meskauskas - expert security researcher, professional malware analyst.

I am passionate about computer security and technology. I have an experience of over 10 years working in various companies related to computer technical issue solving and Internet security. I have been working as an author and editor for pcrisk.com since 2010. Follow me on Twitter and LinkedIn to stay informed about the latest online security threats. Contact Tomas Meskauskas.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

Removal Instructions in other languages
Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

QR Code
HSBC bank virus QR code
A QR code (Quick Response Code) is a machine-readable code which stores URLs and other information. This code can be read using a camera on a smartphone or a tablet. Scan this QR code to have an easy access removal guide of HSBC bank virus on your mobile device.
We Recommend:

Get rid of Windows malware infections today:

▼ REMOVE IT NOW
Download Malwarebytes

Platform: Windows

Editors' Rating for Malwarebytes:
Editors ratingOutstanding!

[Back to Top]

To use full-featured product, you have to purchase a license for Malwarebytes. 14 days free trial available.