2017-11-21 - HANCITOR MALSPAM - NOW SEEING ICEDID BANKING TROJAN (NOT ZEUS PANDA BANKER)

ASSOCIATED FILES:

  • 2017-11-21-Hancitor-malspam-traffic.pcap   (1,987,090 bytes)
  • 2017-11-21-Hancitor-malspam-example.eml   (7,725 bytes)
  • BN2886.tmp   (77,824 bytes)
  • atctaachi.exe   (344,064 bytes)
  • invoice_653074.doc   (321,024 bytes)

 

NOTES:


Shown above:  How I understand the current infection chain.

 

WEB TRAFFIC BLOCK LIST

Indicators are not a block list.  If you feel the need to block web traffic, I suggest the following domains and URLs:

 

EMAILS


Shown above:  Screenshot from one of the emails.

 

EMAIL HEADERS:

 


Shown above:  Clicking on a link from one of the emails.

 


Shown above:  Malicious Word document from link in the malspam.

 

TRAFFIC


Shown above:  Traffic from the infection filtered in Wireshark.

 

LINKS IN THE EMAILS TO THE WORD DOCUMENT:

NETWORK TRAFFIC FROM MY INFECTED LAB HOST:

 

FILE HASHES

MALWARE RETRIEVED FROM THE INFECTED HOST:

 

IMAGES


Shown above:  Some alerts from Sguil in Security Onion using Suricata and the EmergingThreats ruleset.

 


Shown above:  Some alerts using Snort 2.9.11 and the Snort subscription ruleset when playing back the same pcap.

 


Shown above:  IceID banking Trojan persistent on the infected Windows host.

 

FINAL NOTES

Once again, here are the associated files:

Zip archives are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.