{"id":5113,"date":"2020-04-22T12:26:04","date_gmt":"2020-04-22T19:26:04","guid":{"rendered":"https:\/\/blogs.infoblox.com\/?p=5113"},"modified":"2024-04-26T13:21:26","modified_gmt":"2024-04-26T20:21:26","slug":"spoofed-humana-healthcare-malspam-campaign-delivers-hancitor-infostealer","status":"publish","type":"post","link":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/spoofed-humana-healthcare-malspam-campaign-delivers-hancitor-infostealer\/","title":{"rendered":"Spoofed Healthcare Malspam Campaign Delivers Hancitor Infostealer"},"content":{"rendered":"

On 14 April, security researcher JTHL (@JayTHL), reported a Humana Insurance\/COVID-19-themed malicious spam (malspam) campaign delivering Hancitor malware, also known as Chanitor, via an embedded macro in a Microsoft Excel (XLS) file.1<\/sup><\/p>\n

Hancitor is a trojan downloader that lures victims into downloading malicious Microsoft Office files that introduce additional malware to a victim\u2019s machine. The stage-two payloads are designed to steal personally identifiable information (PII) such as device credentials or banking information. Once Hancitor infects a victim’s device, it receives instructions through communication with its command and control (C2) server to download additional malware, such as the Gozi, Pony, or Evil Pony information stealers (infostealers).<\/p>\n

The messages in this campaign impersonate the healthcare provider Humana with subject lines such as “The above is a safe message coming from Humana. #<digits>.\u201d The bodies of the emails prompt the user to click a “See Details” button for information on a fraudulent invoice for a COVID-19 protection plan.<\/p>\n

Malspam subject lines:<\/p>\n