{"id":6431,"date":"2021-06-22T15:05:23","date_gmt":"2021-06-22T22:05:23","guid":{"rendered":"https:\/\/blogs.infoblox.com\/?p=6431"},"modified":"2024-04-26T13:20:37","modified_gmt":"2024-04-26T20:20:37","slug":"hancitor-downloads-infostealers","status":"publish","type":"post","link":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-campaign-briefs\/hancitor-downloads-infostealers\/","title":{"rendered":"Hancitor Downloads Infostealers"},"content":{"rendered":"

Author: James Barnett<\/strong><\/h3>\n

TLP: WHITE<\/strong><\/h3>\n

 <\/p>\n

Overview<\/h3>\n

From June 9 to 17, Infoblox observed multiple malspam campaigns that used DocuSign-themed lures. The malspam enticed users to download and open Microsoft Word documents with malicious macros that installed embedded copies of the trojan downloader Hancitor. The existence of these campaigns was independently corroborated by multiple external sources.1<\/sup>,<\/sup>2<\/sup>,<\/sup>3<\/sup>,<\/sup>4<\/sup>\u00a0<\/strong><\/p>\n

Customer Impact<\/h3>\n

Hancitor targets businesses and individuals around the world. Threat actors distribute it via malspam sent by compromised servers in the United States, Japan, Canada and many other countries. These malicious emails mimic notifications from legitimate organizations to entice the targets to download weaponized Microsoft Office documents.<\/p>\n

We have written about previous Hancitor campaigns in April 20205<\/sup> and December 2020.6<\/sup> Many of Hancitor\u2019s core characteristics have remained the same, but these recent campaigns use a new method of obfuscating malicious URLs in their malspam messages.<\/p>\n

Campaign Analysis<\/h3>\n

The emails in these campaigns use a DocuSign-themed lure to entice a target into opening a link in the message. The subject lines of the emails indicate that the target has a pending invoice or notification from DocuSign. Each email contains an embedded link that uses Google\u2019s Feed Proxy service to redirect the target to a compromised website that hosts a malicious Microsoft Word document.<\/p>\n

Attack Chain<\/h3>\n

Upon clicking the link in the initial Hancitor malspam email, the victim is redirected to one of several websites that try to download a malicious Word file. When the victim opens this file, it displays a message instructing the victim to enable content. Doing so executes the malicious macros in the document. The macros then extract and execute the Hancitor payload\u2019s dynamic link library (DLL) embedded within the Word document, thus establishing the initial Hancitor infection.<\/p>\n

Once Hancitor infects the victim\u2019s system, it sends basic information about the system to one of its hardcoded command and control (C&C) servers. The server responds with further instructions, which direct Hancitor to download and execute one or more additional malware payloads. <\/p>\n

In these campaigns, Hancitor delivered one of two possible additional payloads.The first payload was Cobalt Strike: a legitimate penetration testing tool that has been gaining popularity among threat actors. Its features include infostealer capabilities, such as keylogging; exploits that can leverage system vulnerabilities to facilitate additional attacks; and various methods that help conceal the infostealer\u2019s activity on both the infected system and the victim\u2019s network.7<\/sup><\/p>\n

The second payload was Ficker Stealer: a relatively new Malware-as-a-Service (MaaS) infostealer, identified in August 2020.8<\/sup> According to the author of Ficker Stealer, the malware is capable of stealing web browser passwords, cryptocurrency wallets, FTP client information, credentials stored by Windows Credential Manager, and session information from various chat and email clients.9<\/sup><\/p>\n

Vulnerabilities & Mitigation<\/h3>\n

Hancitor uses several advanced detection countermeasures to bypass antivirus software and firewall-based security. The best way for users to protect themselves from Hancitor is to be wary of links in incoming emails. Namely, a user should:<\/p>\n