{"id":6967,"date":"2021-09-14T15:35:08","date_gmt":"2021-09-14T22:35:08","guid":{"rendered":"https:\/\/blogs.infoblox.com\/?p=6967"},"modified":"2024-08-07T12:19:12","modified_gmt":"2024-08-07T19:19:12","slug":"hancitor-adds-second-redirect","status":"publish","type":"post","link":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-campaign-briefs\/hancitor-adds-second-redirect\/","title":{"rendered":"Hancitor Adds Second Redirect"},"content":{"rendered":"

Author: James Barnett<\/strong><\/h3>\n

 <\/p>\n

1. Overview<\/h3>\n

On 8 September, Infoblox observed a malspam campaign that used DocuSign-themed lures to entice users to download and open Microsoft Word documents with malicious macros that installed embedded copies of the trojan downloader Hancitor.
\nWe have written about previous Hancitor campaigns in April 2020,1 December 2020,2 March 2021,3 and June 2021.4 Hancitor\u2019s core characteristics have not changed, but in this campaign, Hancitor has yet another URL-redirection stage that precedes the delivery of the malicious document payload.<\/p>\n

2. Customer Impact<\/h3>\n

Hancitor targets businesses and individuals around the world. Threat actors distribute it via malspam sent by compromised servers in the United States, Japan, Canada, and many other countries. To entice the targets into downloading weaponized Microsoft Office documents, the malspam mimics notifications from legitimate organizations.<\/p>\n

3. Campaign Analysis<\/h3>\n

An email in this campaign uses a DocuSign-themed lure to entice a target into opening a link in the message. The subject line indicates that the target has a pending invoice or notification from DocuSign. Embedded in the email is a link that uses Google\u2019s Feed Proxy service to redirect the target to a compromised website that hosts a second redirector, which ultimately points to a malicious Microsoft Word document uploaded to Microsoft OneDrive.<\/p>\n

4. Attack Chain<\/h3>\n

Upon clicking the link in the initial Hancitor malspam email, the victim is redirected to a website that immediately downloads a malicious Word file from Microsoft OneDrive (Hancitor has several websites like this). When the victim opens this file, it displays a message instructing the victim to enable content. Opening the message executes the malicious macros in the document. The macros then extract and execute the Hancitor payload\u2019s dynamic link library (DLL) embedded within the Word document, thus establishing the initial Hancitor infection.<\/p>\n

After infecting the victim\u2019s system, Hancitor sends basic information about the system to one of its hardcoded command and control (C&C) servers. The server responds with further instructions, which normally direct Hancitor to download and execute one or more additional malware payloads. We did not observe any additional payloads in this campaign, but the most common payloads in recent Hancitor campaigns have been the Cobalt Strike penetration-testing tool and Ficker Stealer infostealer. The lack of payloads in this campaign may indicate that the threat actor has enhanced the malware by adding methods for avoiding detection; however, we cannot confirm or deny this without further analysis.<\/p>\n

 <\/p>\n

\"\"<\/p>\n

 <\/p>\n

5. Vulnerabilities and Mitigation<\/h3>\n

Hancitor uses several advanced detection countermeasures to bypass antivirus software and firewall-based security. The best way for users to protect themselves from Hancitor is to be wary of links in incoming emails. Namely, a user should:<\/p>\n