This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Community Blog
Subscribe to the official NetWitness Community blog for information about new product features, industry insights, best practices, and more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

A New Hancitor Campaign

AhmedSonbol1
Employee
Employee
‎2018-01-25 01:10 PM

This week RSA FirstWatch observed a new malspam campaign delivering Hancitor malware.  Hancitor is a downloader that was used by adversaries to deliver various malware families such as Pony and Zeus Panda Banker.  Contrary to previous malspam campaigns that used VBA macros to deliver Hancitor, this one is exploiting CVE-2017-11882 in malicious RTF documents.

 

Invoice_304550.doc and fax_645751.doc are two examples of the RTF documents used in this campaign.  Opening them with an un-patched instance of Microsoft Word leaves a user with a blank page. However, a lot of activity is happening in the background.

 

Screen Shot 2018-01-25 at 11.20.06 AM.png

 

First, a suspicious retrieves "1", a script containing our Hancitor payload as a Base64 encoded blob along with the necessary commands to decode and start it as a new process.  

 

Screen Shot 2018-01-25 at 12.32.08 PM.png

 

Looking at the HTTP GET, many of headers in the request are curiously absent.  

  

Screen Shot 2018-01-25 at 11.24.28 AM.pngScreen Shot 2018-01-25 at 11.29.04 AM.png

Screen Shot 2018-01-25 at 12.37.32 PM.png

 

NetWitness Packets flags suspicious meta data (e.g., the file.analysis and service.analysis tags shown below).

 

Screen Shot 2018-01-25 at 11.30.59 AM.png

  

Next, there is a request to a service to idenitfy the IP address of the victim machine:

  

Screen Shot 2018-01-25 at 11.33.44 AM.png

  

Then, it checks-in with a C2 domain (undronride[.]ru) sending the host information via an HTTP POST request.  The directory and filename used in the request reflect the telltale 'ls5/forum.php' characteristics of Hancitor.

 

Screen Shot 2018-01-25 at 11.50.31 AM.png

 

It is worth noting that the C2 domain, undronride[.]ru, was registered just seven days ago and lacks a surprising amount of registration information.

 

Screen Shot 2018-01-25 at 10.56.18 AM.png

 

A second C2 callback to the CNOBIN-registered littarhapone[.]com was also generated by the malware. 

 

Screen Shot 2018-01-25 at 11.45.07 AM.png

 

The following screenshot shows the meta populated by NetWitness Packets for these C2 check-in sessions:

 

Screen Shot 2018-01-25 at 11.55.48 AM.png

 

In both cases, there were no binaries downloaded after the check-in. However, this SANS blog post discusses some of the additional payloads delivered by this Hancitor campaign.

 

 

All the IOC from those HTTP sessions were added to RSA FirstWatch Command and Control Domains on Live with the following meta:

  • threat.source = ‘rsa-firstwatch’
  • threat.category = ‘malspam’
  • threat.description = ‘delivery-domain’

 

Delivery documents (SHA256):

  • b489ca02dcea8dc7d5420908ad5d58f99a6fef160721dcecfd512095f2163f7a
  • 6dcbf652b96a7aea16d0c2e72186173d9345f722c9592e62820bcfe477b2b297
     

footer.png

© 2022 RSA Security LLC or its affiliates. All rights reserved.