I previously wrote a diary on Hancitor back in February 2017. Even though I haven't written a diary about it lately, it's been a near-daily occurrence since then. There's been no significant change, which is why I haven't bothered. Thursday 2017-09-21 included yet another wave of malicious spam (malspam) pushing Hancitor Word documents. Since it's been a while, let's review indicators for this most recent wave.
Hancitor, also known as Chanitor or Tordal, pushed Pony and Vawtrack last year. However, this year it stopped using Vawtrack and now pushes DELoader/ZLoader. The most recent technical write-ups I've seen on Hancitor are here, here, and here.
At least two Twitter accounts routinely tweet indicators for Hancitor malspam like URLs and file hashes. The ones I routinely check are @cheapbyte (example) and @James_inthe_box (example). However, other accounts also tweet Hancitor indicators. You can keep up with this near-daily information by searching Twitter for recent tweets tagged #hancitor.
Thursday's emails were disguised as yet another invoice, this time spoofing a company named Advanced Maintenance. Advanced Maintenance is a general contract and maintenance "handyman" company with various locations in the US. The emails all spoof a domain name registered by the company's President/CEO named advutah.com. However, these messages are not related to Advanced Maintenance, and they do not actually come from that domain.
Advanced Maintenance is aware of this malspam. If you go to the company's official website, you'll see a warning to ignore these emails.
Links in the email point to various URLs designed to download a malicious Word document. As in previous waves of malspam, the downloaded Word document has macros designed to infect a vulnerable Windows computer, if enabled.
I infected a host in my lab. Network traffic was typical for what we've seen in recent months from Hancitor malspam. The only difference? I didn't see a base64 string in the initial HTTP GET request for the Word document like I did earlier this week. That base64 string represents the recipient's email address, which has been standard practice for months now. However, this time, the initial HTTP GET request used a plaintext string for the recipient's email address.
The infected host
After a cursory search, I couldn't determine how malware stays persistent on an infected Windows host. However, I did find several artifacts for encrypted traffic-related services like Tor.
Indicators of Compromise (IOCs)
The following IOCs and other indictors are for Hancitor malspam on Thursday 2017-09-21.
Malware recovered from the infected host:
As it stands, the open nature of our Internet makes it easy for criminals behind Hancitor malspam and other campaigns to operate. For example:
I view network-enabled computing devices like I view most middle-aged adults living a sedentary lifestyle. Both are probably healthier than they seem, even if there is plenty of room for improvement. All you need is the right mindset. The Internet is a wonderful place, but it's also a great equalizer. Both good and bad people coexist in the same space when we're online. It pays to be careful if you're out and about in a cyber sense--whether you're reading email, browsing the web, or interacting with social media.
As usual, it's relatively easy for system administrators (and the technically inclined) to follow best security practices on their Windows computers. Using Software Restriction Policies (SRP) or AppLocker can easily prevent these types of malspam-based infections from occurring. If you have any other tips, please share them in the comments.
Traffic and malware samples for today's diary can be found here.
Sep 22nd 2017
3 weeks ago
Any tips on writing a snort rule for this? I have never tried writing one to inspect an office file. Seems to be somewhat difficult because the .docx is basically zipped and Snort inst able to inspect that deep into the file.
Oct 17th 2017
1 day ago