2017-04-24 - HANCITOR MALSPAM - SUBJECT: RE: RE: WRONG AMOUNT FOR INVOICE # 1234567

ASSOCIATED FILES:

• ZIP archive of the pcap:  2017-04-24-Hancitor-malspam-traffic.pcap.zip   12.6 MB (12,582,817 bytes)

• 2017-04-24-Hancitor-malspam-traffic.pcap   (13,312,274 bytes)

• ZIP archive of the malware:  2017-04-24-Hancitor-malspam-and-artifacts.zip   212 kB (212,335 bytes)

• 2017-04-24-Hancitor-malspam-155034-UTC.eml   (2,403 bytes)
• 2017-04-24-Hancitor-malspam-161335-UTC.eml   (2,408 bytes)
• 2017-04-24-Hancitor-malspam-161400-UTC.eml   (2,405 bytes)
• 2017-04-24-Hancitor-malspam-161408-UTC.eml   (2,404 bytes)
• 123.xls   (15,766 bytes)
• BNC476.tmp   (169,984 bytes)
• TestWordDoc.doc   (19,456 bytes)
• invoice_wartell.zueber.doc   (6,059 bytes)
• putty.exe   (150,016 bytes)

NOTES:

• Sometime last week, links from Hancitor malspam started pointing to RTF files with a .doc extension that utilize an exploit for CVE-2017-0199.
• If their Windows host is still vulnerable, users only need to open the document to get infected (no macros involved).  FireEye has a nice write-up here about how it works.
• More indicators for today's wave of malspam are posted at:  https://techhelplist.com/spam-list/1136-2017-04-24-re-re-wrong-amount-for-invoice-malware

 

EMAIL

Shown above:  Screen shot from one of the emails.

 

EMAIL HEADERS:

• Date/Time:  Monday 2017-04-24 as early as 15:50 UTC

• From:  (spoofed) "Dalton Peters" <sayaka_iwato@ibiden.com>
• From:  (spoofed) "Lara Whitt" <sayaka_iwato@ibiden.com>
• From:  (spoofed) "Rosalinda Fountain" <sayaka_iwato@ibiden.com>
• From:  (spoofed) "Thomas Elder" <sayaka_iwato@ibiden.com>

• Subject:  RE: RE: wrong amount for invoice # 2154712
• Subject:  RE: RE: wrong amount for invoice # 2891059
• Subject:  RE: RE: wrong amount for invoice # 7219828
• Subject:  RE: RE: wrong amount for invoice # 8296239

 

Shown above:  Malicious RTF file from link in the malspam.

 

TRAFFIC

Shown above:  Traffic from the infection filtered in Wireshark.

 

HTTP REQUEST FOR THE RTF FILE:

• 47.91.77.245 port 80 - dintandnesin.ru - GET /april/view.php?id=[base64 string]
• 47.91.77.245 port 80 - pardtosinsing.ru - GET /april/view.php?id=[base64 string]

 

POST-INFECTION TRAFFIC:

• 47.91.77.245 port 80 - pardtosinsing.ru - GET /putty.exe
• 47.91.77.245 port 80 - dintandnesin.ru - GET /123.xls
• 129.215.32.13 port 80 - homepages.inf.ed.ac.uk - GET /neilb/TestWordDoc.doc
• 212.116.113.108 port 80 - howrowthettof.com - POST /ls5/forum.php
• 212.116.113.108 port 80 - howrowthettof.com - POST /borjomi/gate.php
• 213.186.33.19 port 80 - www.casalparis.cat - GET /22
• 213.186.33.19 port 80 - www.casalparis.cat - GET /a2
• 185.173.178.5 port 80 - ropretratspar.com - POST /bdk/gate.php
• api.ipify.org - GET /
• Various IP addresses on various TCP ports - Tor traffic

 

FILE HASHES

RTF FILE FROM LINK IN THE EMAIL:

• SHA256 hash:  2644d5522d7f5f652f7df68f216269a98e0c8039ca63ed0796e921123846a3fe
  File location:  invoice_wartell.zueber.doc
  File description:  Malicious RTF document designed to exploit vulnerability for CVE-2017-0199

MALWARE FROM THE INFECTED HOST:

• SHA256 hash:  7dcbb4e490ee52c01e7838288c799981eaab47131b9f3dc21d349b8eac7545d4
  File location:  C:\Users\[username]\AppData\Roaming\25667.exe
  File description:  Hancitor binary (downloaded at putty.exe)

• SHA256 hash:  efdb74e025abe504eb160e7ff359da8582a9ee6b376ce402c5be7287b8d2293c
  File location:  C:\Users\[username]\AppData\Local\Temp\BNC476.tmp
  File description:  DELoader/ZLoader

 

FINAL NOTES

Once again, here are the associated files:

• ZIP archive of the pcap:  2017-04-24-Hancitor-malspam-traffic.pcap.zip   12.6 MB (12,582,817 bytes)
• ZIP archive of the malware:  2017-04-24-Hancitor-malspam-and-artifacts.zip   212 kB (212,335 bytes)

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.