Hancitor Downloads Infostealers

Share On Facebook
Share On Twitter
Share On Linkedin

Author: James Barnett

TLP: WHITE

 

Overview

From June 9 to 17, Infoblox observed multiple malspam campaigns that used DocuSign-themed lures. The malspam enticed users to download and open Microsoft Word documents with malicious macros that installed embedded copies of the trojan downloader Hancitor. The existence of these campaigns was independently corroborated by multiple external sources.1,2,3,4 

Customer Impact

Hancitor targets businesses and individuals around the world. Threat actors distribute it via malspam sent by compromised servers in the United States, Japan, Canada and many other countries. These malicious emails mimic notifications from legitimate organizations to entice the targets to download weaponized Microsoft Office documents.

We have written about previous Hancitor campaigns in April 20205 and December 2020.6 Many of Hancitor’s core characteristics have remained the same, but these recent campaigns use a new method of obfuscating malicious URLs in their malspam messages.

Campaign Analysis

The emails in these campaigns use a DocuSign-themed lure to entice a target into opening a link in the message. The subject lines of the emails indicate that the target has a pending invoice or notification from DocuSign. Each email contains an embedded link that uses Google’s Feed Proxy service to redirect the target to a compromised website that hosts a malicious Microsoft Word document.

Attack Chain

Upon clicking the link in the initial Hancitor malspam email, the victim is redirected to one of several websites that try to download a malicious Word file. When the victim opens this file, it displays a message instructing the victim to enable content. Doing so executes the malicious macros in the document. The macros then extract and execute the Hancitor payload’s dynamic link library (DLL) embedded within the Word document, thus establishing the initial Hancitor infection.

Once Hancitor infects the victim’s system, it sends basic information about the system to one of its hardcoded command and control (C&C) servers. The server responds with further instructions, which direct Hancitor to download and execute one or more additional malware payloads.

In these campaigns, Hancitor delivered one of two possible additional payloads.The first payload was Cobalt Strike: a legitimate penetration testing tool that has been gaining popularity among threat actors. Its features include infostealer capabilities, such as keylogging; exploits that can leverage system vulnerabilities to facilitate additional attacks; and various methods that help conceal the infostealer’s activity on both the infected system and the victim’s network.7

The second payload was Ficker Stealer: a relatively new Malware-as-a-Service (MaaS) infostealer, identified in August 2020.8 According to the author of Ficker Stealer, the malware is capable of stealing web browser passwords, cryptocurrency wallets, FTP client information, credentials stored by Windows Credential Manager, and session information from various chat and email clients.9

Vulnerabilities & Mitigation

Hancitor uses several advanced detection countermeasures to bypass antivirus software and firewall-based security. The best way for users to protect themselves from Hancitor is to be wary of links in incoming emails. Namely, a user should:

  • Ensure that links in an email point to the domain of the company where the email appears to have originated. For example, if the sender is FedEx, that domain would be http://fedex[.]com.
  • Be suspicious of a link that, when clicked, immediately attempts to download a file.
  • Avoid enabling macros in a Microsoft Office attachment, especially if the file’s only apparent content is a message with instructions to enable the macros.

Endnotes

  1. https://pastebin.com/FKkX5djU
  2. https://pastebin.com/4BgfXiw8
  3. https://www.malware-traffic-analysis.net/2021/06/17/index.html
  4. https://twitter.com/James_inthe_box/status/1402638692666142727
  5. https://insights.infoblox.com/threat-intelligence-reports/threat-intelligence–69
  6. https://insights.infoblox.com/threat-intelligence-reports/threat-intelligence–96
  7. https://www.cobaltstrike.com/features
  8. https://twitter.com/Cyber_Bolo/status/1294576137495023616
  9. https://twitter.com/3xp0rtblog/status/1321209656774135810

 

 

Labels:

Infoblox Threat Intel

Infoblox Threat Intel is the leading creator of original DNS threat intelligence, distinguishing itself in a sea of aggregators. What sets us apart? Two things: mad DNS skills and unparalleled visibility. DNS is notoriously tricky to interpret and hunt from, but our deep understanding and unique access give us a backstage pass to the internet's inner workings. We're proactive, not just defensive, using our insights to disrupt cybercrime where it begins. We also believe in sharing knowledge to support the broader security community by publishing detailed research and releasing indicators on GitHub. In addition, our intel is seamlessly integrated into our Infoblox DNS Detection and Response solutions, so customers automatically get the benefits of it, along with ridiculously low false positive rates.

View All Posts

You might also be interested in

You might also be interested in

×