On 14 April, security researcher JTHL (@JayTHL), reported a Humana Insurance/COVID-19-themed malicious spam (malspam) campaign delivering Hancitor malware, also known as Chanitor, via an embedded macro in a Microsoft Excel (XLS) file.1
Hancitor is a trojan downloader that lures victims into downloading malicious Microsoft Office files that introduce additional malware to a victim’s machine. The stage-two payloads are designed to steal personally identifiable information (PII) such as device credentials or banking information. Once Hancitor infects a victim’s device, it receives instructions through communication with its command and control (C2) server to download additional malware, such as the Gozi, Pony, or Evil Pony information stealers (infostealers).
The messages in this campaign impersonate the healthcare provider Humana with subject lines such as “The above is a safe message coming from Humana. #<digits>.” The bodies of the emails prompt the user to click a “See Details” button for information on a fraudulent invoice for a COVID-19 protection plan.
Malspam subject lines:
- The above is a secure e-mail from Humana. #141241276
- The above is a safe message coming from Humana. #1446999
- This is a secure message coming from Humana. #1224
Infoblox’s full report on this instance of the malware will be available soon on our Threat Intelligence Reports page.