Hancitor – Inside a Malware Campaign (Updated)

What is Hancitor (in short)?

Hancitor (AKA Chanitor) is a malware that uses Microsoft Office documents with macros to download malicious payloads like Pony, Vawtrak and other trojans/stealers/ransomware. Recently Hancitor joined the top 5 “most wanted” malware in Check Point’s February Global Threat impact index.

 

Why this article?

Having been active for at least one year, Hancitor is a well known malware and there are a lot of technical analysis detailing the whole infection process, even one on C&C web panel. The threat made his comeback around February 2017, when attackers developed several new capabilites for the malware and started to aggressively spread it.

While the main core of the analysis made by researchers, as stated before, was the technical process of infection and the malware itself (TTP), no one shown interest on the data left by attackers about the victims, and so we at Lutech Threat Intelligence did it.

Our Findings

Lutech Cyber Threat Intelligence team, with the help of Lutech TMS for Cyber Threat Intelligence, performed a research and different kind of security analysis and considerations about Hancitor. These analysis resulted in finding a lot of users who have potentially enabled the step 1 of the Hancitor malware infection, downloading a malicious document that drops a malware on victim’s system.

Analyzing the behavioral of Hancitor, we identified how the attackers deployed it on several compromised hosts, discovering common patterns. The malware infrastructure is composed by a webserver (usually hosted on a compromised domain) with 4 different files:

  • block.txt    ->    users who attempt to download the document more than 9 times get blacklisted (tracked with visitor.txt)
  • file.tmp      ->    actual Hancitor document, renamed everytime based on victim’s email address
  • get.php       ->    file linked in the spam email, used to download Hancitor (file.tmp)
  • visitor.txt  ->    log of the victims that clicked on the link inside the spam email (pointing to get.php)

All the extracted data are based on the analysis of several visitor.txt files that we have gathered in the last 2 months during our threat intelligence research activities.

There were found and analyzed logs of 23 different Hancitor campaigns, coming from more than 53 domains used by attackers. These massive distribution campaigns hit victims worldwide.

 

 

Based on the extracted data, top 5 country hit by Hancitor are respectively: 1USA (149.200), 2Canada (11.835), 3Great Britain (4.351), 4Germany (4.048) and 5China (2.452). Victim’s distribution is shown in the map below.

 

 

 

Top 20 TLDs distribution of the victims’ email addresses for the Hancitor campaign (for visualization purposes, we used a logarithmic scale). As you can see in the picture below, there is a considerable number of .gov and other ccTLD targets.

 

Below is shown a word cloud of the top 300 email domains of the victims. As expected, email providers are the most present, but there are also many famous companies.

This domains distribution is interesting: we can observe the absence of some big email providers, like Gmail or Yandex, in the list of the most affected targets. It is unclear why the victims list follows this distribution, whether it is due to provider’s diverse spam filters or to attackers sending different volumes of spam depending on the target.

 

Focus on Italian Targets

The following visualizations show a detailed view on the Italian targets. All the data were extracted using Italy’s ccTLD.

Analyzing ccTLDs (country specific) and gTLDs (generic), we noticed that except for the .com gTLD, the targets are most of the time private or public companies. This is because most of the world’s biggest email providers use the generic .com, so they are excluded from others TLDs. This fact indeed is not so obvious, because it means that the attackers gathered a lot of email addresses, showing interest even in small companies. These addresses may be connected to the massive data breaches leaked during last year, 2016, like the ones involving Linkedin, Myspace, Dropbox, Adobe and others, in which millions of user data have been exposed online.

Focus on Government Targets

The following visualizations show a detailed view on the government targets. All the data were extracted using the .gov gTLD. Government target with ccTLD (eg. .gov.it) are excluded on purpose in this section.

 

Check your domain

If you want to check if your company has been targetted by this threat, you can send us a mail to our mailbox supporto[.]security-intelligence[@]lutech[.]it and we’ll answer with a list of the accounts involved for that domain. For security and verification reasons, you must send the email from an administration account like security@your-domain or administration@your-domain.

Contribution

If you have any sample of visitor.txt files or other compromised domains not present in the IOCs list below, feel free to send us an email to our mailbox supporto[.]security-intelligence[@]lutech[.]it and we’ll update our analysis with your contribute.

Next step

As next step, Lutech Cyber Threat Intelligence team, with the help of Lutech TMS for Cyber Threat Intelligence will provide a full drill down analysis on Italian findings, based on Italy’s ccTLD and IP geolocation. A new thread is coming soon as a stand alone analysis.

IOCs Lists

The following table shows a list of the IOCs that we collected from various private and public sources.

 

Threat IOC IOC Type
techsmart.vn Involved Domain
hptt.vn Involved Domain
daotaolaixesviet.vn Involved Domain
neolink.vn Involved Domain
vantaiduonganh.vn Involved Domain
ilead.vn Involved Domain
nguyenminhngoc.vn Involved Domain
mayxaydungcongtrinh.vn Involved Domain
ruouduadaiviet.vn Involved Domain
cuavinhquang.vn Involved Domain
moohin.in.th Involved Domain
fam-life.jp Involved Domain
e-gravity.co.jp Involved Domain
chuppon.cl Involved Domain
usintecmedical.com.br Involved Domain
drawbridge.com.my Involved Domain
gangvape.co.za Involved Domain
fortyfour.jp Involved Domain
byteshop.co.za Involved Domain
oceanprosperity.com.hk Involved Domain
adp-monthly-billling.com Involved Domain
sps-daily-delivery Involved Domain
agroeconom.kz Involved Domain
baoonhd.vn Involved Domain
bxh.laodong.com.vn Involved Domain
cocdoc.fpt.edu.vn Involved Domain
falconsafe.com.sg Involved Domain
fox1995.co.jp Involved Domain
heartz.jp Involved Domain
kmlo.crma.ac.th Involved Domain
lilcedar.sakura.ne.jp Involved Domain
lumenjapan.co.jp Involved Domain
margo.co.jp Involved Domain
usps-daily-delivery.com Involved Domain
random-billing.com Involved Domain
sabinahuang.com Involved Domain
sklas.com.my Involved Domain
walden.co.jp Involved Domain
www.bluedot.co.za Involved Domain
www.co-lab.amsterdam Involved Domain
www.gpessays.com.sg Involved Domain
www.jasa.adv.br Involved Domain
www.jcgptuition.com.sg Involved Domain
www.jlctecnologia.com.ar Involved Domain
www.lnne.com.br Involved Domain
www.lrussell.com.sg Involved Domain
www.malton.com.my Involved Domain
www.newgrand.com.hk Involved Domain
www.proarte.org.br Involved Domain
www.unotrading.co.jp Involved Domain
xperiavietnam.vn Involved Domain
Bofa_Card_Statement Part of Document Name
USPS_Invoice Part of Document Name
contract Part of Document Name
Delta_Ticket Part of Document Name
FTC_subpoena Part of Document Name
Settlement Part of Document Name
eFax Part of Document Name
bofa_statement Part of Document Name
Subpoena Part of Document Name
Divorce Part of Document Name
Amazon Part of Document Name
Invoice Part of Document Name
Subpoena Part of Document Name
FTC_subpoena Part of Document Name
Insurance Part of Document Name
Bill Part of Document Name
Ringcentral Part of Document Name
March_invoice Part of Document Name
ADP_Invoice Part of Document Name
getnum.php?id= Check-in Path
api/get.php?id= Check-in Path
js/view.php?id= Check-in Path
api/getn.php?id= Check-in Path
teaser/view.php?id= Check-in Path
images/download.php?id= Check-in Path
invoices/get.php?id= Check-in Path
index.html.php?id= Check-in Path
Styles/view.php?id= Check-in Path
backup/get.php?id= Check-in Path
api2/get.php?id= Check-in Path
tmp/view.php?id= Check-in Path
cache/view.php?id= Check-in Path
stat/view_file.php?id= Check-in Path
get.php?id= Check-in Path
css/view.php?id= Check-in Path
cache/view2.php?id= Check-in Path
logs/download.php?id= Check-in Path
themes/view.php?id= Check-in Path
scripts/download.php?id= Check-in Path
view.php?id= Check-in Path
cache/view_bill.php?id= Check-in Path
stats/view_bill.php?id= Check-in Path
inc/get.php?id= Check-in Path
getn.php?id= Check-in Path
pages/view_bill.php?id= Check-in Path
invoice/view.php?id= Check-in Path
processing/filedownload.php?id= Check-in Path
uploads/download.php?id= Check-in Path
backup2/get.php?id= Check-in Path
images/view.php?id= Check-in Path
demo/get.php?id= Check-in Path
view_file.php?id= Check-in Path
theme-compat/view.php?id= Check-in Path
temp/viewf.php?id= Check-in Path
subpoena/subpoena.php?id= Check-in Path
download.php?id= Check-in Path
view_bill.php?id= Check-in Path
twentythirteen/get.php?id= Check-in Path
api11/get.php?id= Check-in Path
invoice/download.php?id= Check-in Path
images/view_file.php?id= Check-in Path
api2/getn.php?id= Check-in Path
divorce/get.php?id= Check-in Path
divorce/getn.php?id= Check-in Path

External Contributors

We would like to thank Ruben Dodge of UPS Security Operation Center for sharing his information about this threat with our team.

Authors

Lutech Cyber Threat Intelligence Team: Fabio Bellani, Luca Dinardo, Luca Sangalli, Roberto Romano

 

Leave a Comment

Your email address will not be published.