2017-10-30 - HANCITOR MALSPAM (VIEW YOUR OFFICE 365 BUSINESS BILLING STATEMENT)

ASSOCIATED FILES:

• Zip archive of the pcap:  2017-10-30-Hancitor-malspam-traffic-example.pcap.zip   364 kB (364,152 bytes)

• 2017-10-30-Hancitor-malspam-traffic-example.pcap   (528,674 bytes)

• Zip archive of the malware:  2017-10-30-Hancitor-malspam-and-artifacts.zip   248 kB (247,725 bytes)

• 2017-10-30-Hancitor-malspam-1621-UTC.eml   (5,996 bytes)
• 2017-10-30-Hancitor-malspam-1626-UTC.eml   (5,921 bytes)
• 2017-10-30-Hancitor-malspam-1722-UTC.eml   (6,002 bytes)
• 2017-10-30-Hancitor-malspam-1724-UTC.eml   (6,058 bytes)
• 2017-10-30-Hancitor-malspam-1726-UTC.eml   (5,934 bytes)
• 2017-10-30-Hancitor-malspam-1822-UTC.eml   (6,033 bytes)
• 2017-10-30-Hancitor-malspam-1829-UTC.eml   (5,965 bytes)
• 2017-10-30-Hancitor-malspam-1837-UTC.eml   (5,967 bytes)
• 2017-10-30-Hancitor-malspam-1855-UTC.eml   (5,933 bytes)
• 2017-10-30-Hancitor-malspam-1918-UTC.eml   (6,007 bytes)
• 2017-10-30-ZeusPandaBanker.exe   (153,088 bytes)
• statement_299584.doc   (220,160 bytes)

 

TODAY'S TWEETS COVERING THE 2017-10-30 WAVE OF #HANCITOR MALSPAM:

• @James_inthe_box:  Incoming #hancitor #malspam: "View your Office 365 Business billing statement for <domain>" pastebin.com/BDYSi0Zv updates forthcoming   (link)
• @pollo290987:  #Hancitor arizoznaic,us/s.php?nlv654=[email clear]   10stepstoyes,info/s.php?idw042=[email clear]   colighaningr,com GET /ls5/forum.php   (link)

 

NOTES:

• The DDE attack we saw earlier this month from Hanictor malspam was very short-lived.  Today, just like last time, it's been Word macros.
• Also like last time, we have Zeus Panda Banker (no ZLoader/DELoader).

 

EMAILS

Shown above:  Screenshot from one of the emails.

 

EMAIL HEADERS:

• Date/Time: Monday 2017-10-30 as early as 16:21 UTC through at least 19:18 UTC
• Subject:  View your Office 365 Business billing statement for [recipient's email domain]
• From:  "Microsoft Online Services Team" <microsoft@inreachitsolutions.com>

• Received: from inreachitsolutions.com ([50.206.59.110])
• Received: from inreachitsolutions.com ([67.88.39.194])
• Received: from inreachitsolutions.com ([69.11.104.192])
• Received: from inreachitsolutions.com ([74.95.217.206])
• Received: from inreachitsolutions.com ([76.73.153.98])
• Received: from inreachitsolutions.com ([79.10.219.3])
• Received: from inreachitsolutions.com ([98.198.65.62])
• Received: from inreachitsolutions.com ([108.190.156.147])
• Received: from inreachitsolutions.com ([136.61.93.165])
• Received: from inreachitsolutions.com ([174.226.18.159])

 

Shown above:  Malicious Word document from link in the malspam.

 

TRAFFIC

Shown above:  Traffic from the infection filtered in Wireshark.

 

Shown above:  Attempted TCP connections caused by Zeus Panda Banker on the infected host.

 

LINKS IN THE EMAILS TO THE WORD DOCUMENT:

• arizonaic.biz - GET /s.php?fre574=[recipient's email address]
• arizonaic.biz - GET /s.php?tnx552=[recipient's email address]
• arizonaic.com - GET /s.php?ywy156=[recipient's email address]
• arizonaic.mobi - GET /s.php?mim650=[recipient's email address]
• arizonaic.net - GET /s.php?jxw684=[recipient's email address]
• arizonaic.net - GET /s.php?sns010=[recipient's email address]
• arizonaic.us - GET /s.php?aiz184=[recipient's email address]
• arizonaic.us - GET /s.php?kjw700=[recipient's email address]
• opbrace.com - GET /s.php?hvo262=[recipient's email address]
• tenstepstoyes.org - GET /s.php?vvg003=[recipient's email address]

NAME FOR THE MALICIOUS WORD DOCUMENT:

• statement_[six random digits].doc

POST-INFECTION TRAFFIC FROM MY INFECTED HOST:

• 178.170.244.181 port 80 - colighaningr.com - POST /ls5/forum.php
• 178.170.244.181 port 80 - colighaningr.com - POST /mlu/forum.php
• 178.170.244.181 port 80 - colighaningr.com - POST /d2/about.php
• 66.113.109.58 port 80 - icarusplays.org - GET /Aspire_files/afxtoz/1
• 66.113.109.58 port 80 - icarusplays.org - GET /Aspire_files/afxtoz/2
• 66.113.109.58 port 80 - icarusplays.org - GET /Aspire_files/afxtoz/3
• 164.132.28.118 port 443 - tontrumuchtors.com - attempted TCP connection (RST from the server)
• api.ipify.org - GET /

 

FILE HASHES

WORD DOCUMENT FROM LINK IN THE EMAIL:

• SHA256 hash:  d2ddcfd70f9fb7eba158c1ce17438bd9328ddfaa6507428be4f802402b15ab9e
  File name:  statement_299584.doc
  File size:  220,160 bytes
  File description:  Hancitor maldoc

MALWARE RETRIEVED FROM THE INFECTED HOST:

• SHA256 hash:  ba35a1c840ba413f1f92179b7dce1d84ae07b9f8a349e847692760a7b395ddb1
  File location:  C:\Users\[username]\AppData\Local\Temp\[random characters].tmp
  File location:  C:\Users\[username]\AppData\Roaming\[random existing path]\[random name].exe
  File size:  153,088 bytes
  File description:  Zeus Panda Banker

FINAL NOTES

Once again, here are the associated files:

• Zip archive of the pcap:  2017-10-30-Hancitor-malspam-traffic-example.pcap.zip   364 kB (364,152 bytes)
• Zip archive of the malware:  2017-10-30-Hancitor-malspam-and-artifacts.zip   248 kB (247,725 bytes)

Zip archives are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.