Author: James Barnett
From June 9 to 17, Infoblox observed multiple malspam campaigns that used DocuSign-themed lures. The malspam enticed users to download and open Microsoft Word documents with malicious macros that installed embedded copies of the trojan downloader Hancitor. The existence of these campaigns was independently corroborated by multiple external sources.1,2,3,4
Hancitor targets businesses and individuals around the world. Threat actors distribute it via malspam sent by compromised servers in the United States, Japan, Canada and many other countries. These malicious emails mimic notifications from legitimate organizations to entice the targets to download weaponized Microsoft Office documents.
We have written about previous Hancitor campaigns in April 20205 and December 2020.6 Many of Hancitor’s core characteristics have remained the same, but these recent campaigns use a new method of obfuscating malicious URLs in their malspam messages.
The emails in these campaigns use a DocuSign-themed lure to entice a target into opening a link in the message. The subject lines of the emails indicate that the target has a pending invoice or notification from DocuSign. Each email contains an embedded link that uses Google’s Feed Proxy service to redirect the target to a compromised website that hosts a malicious Microsoft Word document.
Upon clicking the link in the initial Hancitor malspam email, the victim is redirected to one of several websites that try to download a malicious Word file. When the victim opens this file, it displays a message instructing the victim to enable content. Doing so executes the malicious macros in the document. The macros then extract and execute the Hancitor payload’s dynamic link library (DLL) embedded within the Word document, thus establishing the initial Hancitor infection.
Once Hancitor infects the victim’s system, it sends basic information about the system to one of its hardcoded command and control (C&C) servers. The server responds with further instructions, which direct Hancitor to download and execute one or more additional malware payloads.
In these campaigns, Hancitor delivered one of two possible additional payloads.The first payload was Cobalt Strike: a legitimate penetration testing tool that has been gaining popularity among threat actors. Its features include infostealer capabilities, such as keylogging; exploits that can leverage system vulnerabilities to facilitate additional attacks; and various methods that help conceal the infostealer’s activity on both the infected system and the victim’s network.7
The second payload was Ficker Stealer: a relatively new Malware-as-a-Service (MaaS) infostealer, identified in August 2020.8 According to the author of Ficker Stealer, the malware is capable of stealing web browser passwords, cryptocurrency wallets, FTP client information, credentials stored by Windows Credential Manager, and session information from various chat and email clients.9
Vulnerabilities & Mitigation
Hancitor uses several advanced detection countermeasures to bypass antivirus software and firewall-based security. The best way for users to protect themselves from Hancitor is to be wary of links in incoming emails. Namely, a user should:
- Ensure that links in an email point to the domain of the company where the email appears to have originated. For example, if the sender is FedEx, that domain would be http://fedex[.]com.
- Be suspicious of a link that, when clicked, immediately attempts to download a file.
- Avoid enabling macros in a Microsoft Office attachment, especially if the file’s only apparent content is a message with instructions to enable the macros.