Introduction Malicious spam (malspam) pushing Hancitor malware (also known as Chanitor or Tordal) has been somewhat quiet since its last wave of 2017 on December 21st. During the holidays, Hancitor took a break. And in the first three weeks of 2018, I only saw one wave of Hancitor malspam that occurred on Wednesday 2018-01-10. But on Tuesday 2018-01-23, we saw a new wave of Hancitor malspam. This time, links in the emails returned an RTF file that exploits CVE-2017-11882. As usual, these waves of malspam are most often caught by spam filters, so few people will actually see the messages. And best security practices can easily prevent these infections from happening. But we continue to see this malspam, so today's diary examines the infection traffic in my lab environment. Chain of events Operational characteristics of this campaign haven't changed much during the past few months. This campaign sends out waves of malspam using a different themed template each day it's active. Tuesday's theme spoofed eFax messages. Hancitor malspam has used variations on this eFax theme several times before. Each email has a link to download a fake document. The result is most often a Microsoft Word document that has macros to run Hancitor. Once activated, Hancitor then downloads two or three additional items of malware. The additional malware is usually Pony, Evil Pony, and Zeus Panda Banker. Pony and Evil Pony stay resident in the infected host's memory (they're both file-less); however, I can always grab a copy of Zeus Panda Banker that's been saved to disk.
Starting on 2017-11-21, I saw examples of the IcedID banking Trojan instead of Zeus Panda Banker on infected hosts in my lab environment. Further waves of Hancitor malspam switched back and forth between IcedID and Zeus Panda Banker. However, 2017-12-13 was the last time I saw IcedID banking Trojan during Hancitor infection traffic. It's consistently been Zeus Panda Banker since 2017-12-18. At times, post-infection traffic will show another item of follow-up malware. In this diary's example, I also saw spambot malware. The malware caused my infected lab host to send out more Hancitor malspam. At least it tried to. The few successful SMTP connections from my infected host were flagged by the receiving mail servers, and no spam was actually sent. In October 2017, we briefly saw Hancitor malspam utilizing Microsoft Word documents with the DDE attack technique. But after 10 days, it had gone back to using Word macros. I predict that, after trying out these RTF files, Hancitor malspam will go back to regular Word document macros in the near future. CVE-2017-11882 The CVE-2017-11882 vulnerability was patched by Microsoft in November 2017. Since then, I've documented RTF files exploiting this vulnerability from malspam pushing malware like Loki-Bot and Formbook. By now, exploits for this vulnerability are old news, and more than 1,000 samples have been submitted to VirusTotal since November 2017.
Tuesday's wave of malspam Below is a screenshot from an example of Hancitor malspam on Tuesday 2018-01-23.
Prior to December 2017, URLs in the malspam's message text included base64 encoded strings representing the recipient's email address. Sometimes, they were just plain text. However, since early December 2017, URLs in the message text have been using a custom encoding that I haven't figured out yet. The email link returned an RTF file disguised as a Word document using the .doc file extension.
Network traffic I opened the RTF file using Microsoft Word on a vulnerable Windows 7 host, and it automatically retrieved the Hancitor binary and started the infection process. The Hancitor binary was encoded as a base64 string in script returned from ofthi.com. See the image below for details.
Otherwise, traffic looked very similar to Hancitor infections I've documented numerous times in recent months.
As I mentioned earlier, in this infection, I saw another item of malware sent to my infected lab host. It was spambot malware based on the Send-Safe bulk mailer. After this malware came across, my infected host generated indicators for Send-Safe, and I saw plenty of attempts at SMTP.
Forensics on the infected host I checked my infected Windows host to see what artifacts remained after the computer had been infected for a while. I found Zeus Panda Banker in its usual location, and the Send-Safe spambot malware EXE was in a folder under the user's AppData\Local\Temp directory.
Indicators I collected 30 emails from Tuesday's wave of malspam. The malspam spoofed chartersteeltrading.com as a sender, but that company is not involved with this malspam at all. Details on these emails follow.
IP addresses for the sending hosts (hostname spoofed):
Subject lines:
Links from the emails:
URL to retrieve the Hancitor binary that returned script with a base64 string:
Post-infection traffic from my infected lab host:
Associated malware: SHA256 hash: 6dcbf652b96a7aea16d0c2e72186173d9345f722c9592e62820bcfe477b2b297
SHA256 hash: 2c506742267dd9d41dc62f2614f6306458da185230fb46cb467c98a8f48317a4
SHA256 hash: 8418887655f69ab5a61915bad2af633462760b128d38f53911da020d70e4862e
SHA256 hash: 42b02d621696ec33e9140fedcf8b48695059595f9469dbf28daf4667ac0d214f
Block list As always, indicators are not a block list. If anyone's inclined to web traffic, I suggest the following domains and URLs. Keep in mind many of these may have been taken off-line by the time you read this. boxerproperties.biz
boxerproperties.info boxerproperties.org boxerproperties.us carolinecollective.cc classiccaladiums.info classiccaladiums.org classiccaladiumsllc.org eastlandmallcharlotte.com long-island-office-space.com subleaseofficehouston.com tabconstructioninc.com tabrrinc.com tabrs.com thesublease.com ofthi.com hxxp://www.boltboxmarketing.com/wp-content/plugins/js_composer/config/1 hxxp://www.boltboxmarketing.com/wp-content/plugins/js_composer/config/2 hxxp://www.boltboxmarketing.com/wp-content/plugins/js_composer/config/3 littarhapone.com suptalefthed.ru hxxp://yoyostudy.com.au/62a.exe
Final words As always, the standard disclaimer applies: Hancitor is really no more dangerous than other types of malspam we see on a daily basis. This malware is for Windows systems, but Windows 10 hosts seem well-protected against this threat. Even with the switch to RTF files exploiting CVE-2017-11882, I don't think this campaign is much more of a threat now than it was before. Why? Because spam filters seem to detect and block this malspam fairly easily. The detection rate on the RTF files is a bit lower than I've seen before on previous Hancitor-related Word documents. Today's RTF sample was 12 of 57 when I checked VirusTotal on 2018-01-24 at 00:32 UTC. However, most of the infrastructure on these campaigns is quickly detected, and the associated hosting providers usually take most of it off-line within hours of discovery. As always, properly-administered Windows hosts are unlikely to get infected. For older versions of Windows, system administrators and the technically inclined can implement best practices like Software Restriction Policies (SRP) or AppLocker to prevent these types of infections. Pcap and malware samples for today's diary can be found here. Finally, thanks to the security professionals on Twitter who share indicators and discuss these waves of malspam in near-real-time. Here is a Twitter search to help you find more information and indicators for recent Hancitor activity. --- |
Brad 435 Posts ISC Handler Jan 24th 2018 |
Thread locked Subscribe |
Jan 24th 2018 4 years ago |
added them directly to squid & unbound block list. thxs
|
Anonymous |
Quote |
Jan 25th 2018 4 years ago |
Sign Up for Free or Log In to start participating in the conversation!