Last Updated: 2017-01-11 04:30:17 UTC
by Brad Duncan (Version: 1)
Until recently, I hadn't personally seen much malicious spam (malspam) using Microsoft office documents with Hancitor-based Visual Basic (VB) macros to send Pony and Vawtrak. It still happens, though. Occasionally, I'll find a report like this one from 2016-12-19, where Hancitor/Pony/Vawtrak malspam was disguised as a LogMeIn account notification, but I rarely come across an example on my own. And apparently, there's been a recent lull in Hancitor/Pony/Vawtrak malspam until yesterday.
This diary describes a wave of Hancitor/Pony/Vawtrak malspam from Tuesday 2017-01-10.
The example I saw was a fake parking ticket notification.
- Date/Time: Tuesday, 2017-01-10 20:25:41 UTC
- Received from: kennedyslaw.com
- Message-Id: firstname.lastname@example.org
- From: email@example.com
- Subject: RE: RE: parking ticket
The link from the malspam downloaded a Microsoft Word document. The document contains a malicious VB macro described has Hancitor, Chanitor or Tordal. I generally call it Hancitor. If you enable macros, the document retrieves a Pony downloader DLL. The Pony downloader then retrieves and installs Vawtrak malware.
The link from the email contains a base64-encoded string representing the recipient's email address. Based on that string, the downloaded file will have the recipient's name from the email address. I used a base64 string for firstname.lastname@example.org (a made-up name/address) and received a file named parking_bert.doc.
Pattern-wise, URLs from this infection are similar to previous cases of Hancitor/Pony/Vawtrak malspam reported during the past two or three months.
You won't see any Vawtrak-specific activity until you start your browser and try to look at a something. Once you do, you'll see Vawtrak callback traffic.
Indicators of Compromise (IOCs)
Email links noted on Tuesday 2017-01-10 to download the Hancitor Word document:
- 22.214.171.124 port 80 - www.dreampark.co.jp - GET /api/get.php?id=[base64 string]
- 126.96.36.199 port 80 - www.thienyhotel.vn - GET /api/get.php?id=[base64 string]
Traffic after enabling macros on the Word document:
- api.ipify.org - GET / [IP address check]
- 188.8.131.52 port 80 - tinhorecrin.com - POST /ls5/forum.php [Hancitor callback]
- 184.108.40.206 port 80 - tinhorecrin.com - POST /klu/forum.php [Hancitor callback]
- 220.127.116.11 port 80 - tinhorecrin.com - POST /borjomi/gate.php [Hancitor callback]
- 18.104.22.168 port 80 - www.mi4nd.com - GET /wp-includes/pm1.dll [DLL for Pony]
- 22.214.171.124 port 80 - www.mi4nd.com - GET /wp-includes/pm2.dll [DLL for Pony]
- 126.96.36.199 port 80 - www.worstofbreed.net - GET /wp-content/themes/redoable/inst.exe [EXE for Vawtrak]
Vawtrak traffic noted after trying to browse the web:
- 188.8.131.52 port 80 - 184.108.40.206 - HTTP post-infection Vawtrak callback
- 220.127.116.11 port 443 - geholso.com - HTTPS/SSL/TLS post-infection Vawtrak callback
- 18.104.22.168 port 443 - ojfbgnruqe.com - HTTPS/SSL/TLS post-infection Vawtrak callback
Associated file hashes:
- SHA256 hash: ccf2700ac1878b47ff99bbef8074ccdc0a6dd53ebce8b7aadc00f8d31e78ff43
- File size: 200,192 bytes
- Description: Word document from link to dreampark.co.jp
- SHA256 hash: ad89a7ca5869cb6ea153be32740e6fe4c2fae06383c4680560cc3dd861c2a77a
- File size: 188,416 bytes
- Description: Word document from link to thienyhotel.vn
- SHA256 hash: c726abc766688a680a7c4edd519998ccd436149f907cb5bc0df16137b60e73a2
- File size: 71,680 bytes
- Description: Pony downloader (DLL stored in memory)
- SHA256 hash: 71f601df5d547be70e75bc7acd10f437d4438a7fc7d66b111607fe64d1d8ce41
- File size: 389,120 bytes
- Description: Vawtrak malware
Speaking as a security professional, we often become jaded as yet another wave of malspam does the same thing it's done before. Patterns behind such activity are often well-documented. So why bother with discussion, if there's nothing new? Why bother talking about it, when we have the technical means to prevent these types of infections?
Why indeed! That attitude only encourages the criminal groups behind malspam. For various reasons, many environments don't follow best security practices, and they're still vulnerable. If we discuss on-going waves of malspam in high-visibility forums like this one, more people will be aware of the threat.
If you know any blogs or Twitter channels you find helpful, feel free to leave a comment below. Let's keep the discussion going!
Pcap and malware for this diary can be found here.
brad [at] malware-traffic-analysis.net