It's been one month since my last diary on malcious spam (malspam) with links to malicious Word documents containing Hancitor . Back then, we saw Hancitor use Pony to download Vawtrak malware. Since then, I've seen indicators for this type of malspam on a near-daily basis.
Recently, these emails have stopped leading to Vawtrak. Instead, I'm now seeing malware that triggers alerts for Terdot.A [2, 3, 4, 5, 6, 7]. Tools from my employer identify this malware as DELoader, and a Google search indicates Terdot.A and DELoader are the same thing.
For now, I'm keeping my flow chart open on the final malware. With that in mind, let's take a look at some infection traffic generated on Thursday 2017-02-09 based on one of these emails.
These emails generally have different subject lines each day, and they have spoofed sending addresses. The example I saw on 2017-02-09 was a fake message about a money transfer. It's similar to a wave of malspam seen the day before.
The link from the email contains a base64-encoded string representing the recipient's email address. Based on that string, the downloaded file will have the recipient's name from the email address. I used a base64 string for a made-up email address and received a file named bofa_statement_marci.jones.doc.
The link from the malspam downloaded a Microsoft Word document. The document contains a malicious VB macro described as Hancitor, Chanitor or Tordal. I generally call it Hancitor. If you enable macros, the document retrieves a Pony downloader DLL. At first, I thought Pony was retrieving the DELoader malware; however, another researcher told me it's Hancitor that grabs DELoader. I haven't had time to investigate; however, I probably need to update my flowchart.
Pattern-wise, URLs from this infection are similar to previous cases of Hancitor/Pony malspam reported I've seen during the past week or two.
Alerts show post-infection traffic for Terdot.A/Zloader, which is consistent with recent infections I've seen for malware identified as DELoader.
Indicators of Compromise (IOCs)
Email link noted on Thursday 2017-02-09 to download the Hancitor Word document:
Traffic after enabling macros on the Word document:
Associated file hashes:
As this campaign progresses, IOCs will continue to change, and I'm sure traffic patterns will continue to evolve.
Pcap and malware for this diary can be found here.
Feb 18th 2017
9 months ago