Author: James Barnett
Between 23 November and 8 December, Infoblox observed multiple malicious spam (malspam) campaigns that all used DocuSign-themed lures to entice users to download and open Microsoft Word documents with malicious macros that install embedded copies of the Hancitor trojan downloader.
Hancitor is a trojan downloader that targets businesses and individuals around the world. It is distributed via malspam sent by compromised servers in many countries, including the United States, Japan and Canada. These malicious emails mimic notifications from legitimate organizations to entice the user to download a weaponized Microsoft Office document.
We wrote about a previous Hancitor campaign in April 2020.1 While many of Hancitor’s core characteristics have remained the same, this recent series of campaigns includes a slightly more complex attack chain and delivers different types of malware payloads after establishing the initial Hancitor infection.
The emails in these campaigns used a DocuSign lure to entice targets into opening links in the messages. The subject lines of the messages indicated that the target had a pending invoice or notification from DocuSign. Each email contained an embedded link leading to a Google Docs file.
Infoblox’s full report on this campaign will be available soon on our Threat Intelligence Reports page.