Author: James Barnett
On 18 March, security researcher Brad Duncan reported a malspam campaign that used DocuSign-themed lures to entice users to download and open Microsoft Word documents with malicious macros that install embedded copies of the Hancitor trojan downloader.1 These copies of Hancitor delivered additional payloads containing Cobalt Strike and Ficker Stealer.
Hancitor is a trojan downloader that targets businesses and individuals around the world. It is distributed via malspam sent by compromised servers in many countries, including the United States, Japan and Canada. These malicious emails mimic notifications from legitimate organizations to entice the user to download a weaponized Microsoft Office document.
Infoblox has reported on multiple Hancitor campaigns in the past, most recently in December 2020.2,3 Hancitor’s core characteristics have remained the same since our last report, and this new campaign is notable for how similar it is to the one we previously reported. Both campaigns use a nearly identical lure and deliver the same types of malware payloads. This may indicate that the threat actors behind Hancitor have become comfortable with this pattern of attack. If so, we could see more campaigns with similar lures and payloads in the future.
The emails in these campaigns used a DocuSign lure to entice targets into opening links in the messages. The subject lines of the messages indicated that the target had a pending invoice or notification from DocuSign. Each email contained an embedded link leading to a Google search redirect page.
Infoblox’s full report on this campaign will be available soon on our Threat Intelligence Reports page.