Hancitor is an info stealer and malware downloader utilized by a menace actor designated as MAN1, Moskalvzapoe, or TA511.
Hancitor was seen fairly unsophisticated from 2018, but it surely remained a menace for years to return. Round three years later, Hancitor stays a menace and has developed to make use of instruments like Cobalt Strike.
In current months, this actor started utilizing a community ping software to assist enumerate the Energetic Listing (AD) setting of contaminated hosts.
Chain of Occasions for Current Hancitor Infections
The chain of occasions for current Hancitor infections is:
- An e mail with a hyperlink to a malicious web page hosted on Google Drive.
- Hyperlink from a Google Drive web page to a URL that returns a malicious Phrase doc.
- Allow macros (per directions in Phrase doc textual content).
- Hancitor DLL is dropped and run utilizing rundll32.exe.
- Hancitor generates command and management (C2) visitors.
- Hancitor C2 most frequently results in Ficker Stealer malware.
- Hancitor C2 results in Cobalt Strike exercise in AD environments.
- Hancitor-related Cobalt Strike exercise can ship different recordsdata, reminiscent of a community ping software or malware primarily based on the NetSupport Supervisor Distant Entry Device (RAT).
- In uncommon instances, a Hancitor an infection follow-up with Ship-Secure spambot malware that turned an contaminated host right into a spambot pushing extra Hancitor-based malspam.
Hancitor chain of occasions
First Stage: Distributing Malicious Phrase Paperwork
Hancitor has traditionally despatched emails spoofing various kinds of organizations that ship notices, faxes or invoices. At current, most waves of emails pushing Hancitor have used a DocuSign theme.
These DocuSign-themed messages have hyperlinks to malicious Google Drive pages established by means of fraudulent or probably compromised Google accounts. Cloud-based collaborative companies reminiscent of Microsoft’s OneDrive and Google Drive are incessantly abused by menace actors to distribute malware.
Second Stage: Hancitor Infects Sufferer
When macros are enabled for these malicious Phrase paperwork, the macro code drops and runs a malicious DLL file for Hancitor. The DLL file is contained throughout the macro code. Community visitors brought on by Hancitor begins with an IP handle test by the contaminated Home windows host.
The IP test is instantly adopted by C2 visitors. Posted information additionally consists of the model of Home windows and area info if the contaminated host is a part of an AD setting. Lastly, posted information additionally incorporates a Globally Distinctive Identifier (GUID) for the contaminated host and a construct quantity for the Hancitor malware pattern.
Third Stage: Hancitor Retrieves Observe-Up Malware
After Hancitor establishes C2 visitors, it retrieves follow-up malware. Every day, follow-up malware gadgets for Hancitor are hosted on the identical area. Hancitor will solely ship Cobalt Strike when it infects a bunch in an AD setting.
Last Stage: Cobalt Strike Sends Malware
Cobalt Strike is utilized by the menace actor behind Hancitor to ship follow-up malware. One other file that appeared on Hancitor-infected hosts after Cobalt Strike began as a Home windows EXE file for a community ping software. The community ping software was all the time saved to the identical listing because the Hancitor Phrase doc.
This ping software is designed to search out some other lively hosts inside an AD setting. The software generates roughly 1.5 GB of ICMP ping visitors over the community because it pings greater than 17 million IP addresses of inside, non-routable IPv4 handle area.
Subsequently, organizations with first rate spam filtering, correct system administration, and up-to-date Home windows hosts have a a lot decrease danger of an infection from Hancitor and its post-infection exercise. Palo Alto Networks Subsequent-Technology Firewall prospects are additional shielded from this menace with a Risk Prevention safety subscription.