2017-12-11 - HANCITOR MALSPAM (EFAX-THEMED)
ASSOCIATED FILES:
- Zip archive of the pcap: 2017-12-11-Hancitor-malspam-traffic.pcap.zip 1.8 MB (1,801,521 bytes)
- 2017-12-11-Hancitor-malspam-traffic.pcap (2,364,151 bytes)
- Zip archive of the email: 2017-12-11-Hancitor-malspam-1654-UTC.eml.zip 1.1 kB (1,077 bytes)
- 2017-12-11-Hancitor-malspam-1654-UTC.eml (2,767 bytes)
- Zip archive of the malware: 2017-12-11-malware-from-Hancitor-malspam.zip 215 kB (214,894 bytes)
- 2017-12-11-Hancitor-maldoc-eFax_729569.doc (40,128 bytes)
- 2017-12-11-Zeus-Panda-Banker-sample.exe (152,064 bytes)
NOTES:
- Today, post-infection malware from Hancitor malspam includes Zeus Panda Banker.
- It's been switching between Zeus Panda Banker and IcedID banking Trojan during the past two weeks or so.
- Of course, there's still Pony and Evil Pony (both fileless) also downloaded by Hancitor from the Word document macro.
- Thanks to @James_inthe_box, who published additional indicators (link) that I've included in this report.
WEB TRAFFIC BLOCK LIST
Indicators are not a block list. If you feel the need to block web traffic, I suggest the following domains and URLs:
- agelessbuy.com
- agelessshow.com
- beautyandthearts.org
- buyoesh.com
- iaaaward.com
- iaapublishing.com
- iaasavesthearts.com
- oesh.org
- oeshshoes.com
- oeshshoes.net
- wearoesh.com
- hxxp://aboutthebike.co.uk/wp-content/plugins/all-in-one-seo-pack/1
- hxxp://aboutthebike.co.uk/wp-content/plugins/all-in-one-seo-pack/2
- hxxp://aboutthebike.co.uk/wp-content/plugins/all-in-one-seo-pack/3
- hxxp://beyondthebag.feedprojects.com/wp-content/plugins/featured-image-widget/1
- hxxp://beyondthebag.feedprojects.com/wp-content/plugins/featured-image-widget/2
- hxxp://beyondthebag.feedprojects.com/wp-content/plugins/featured-image-widget/3
- hxxp://modelhover.org/1
- hxxp://modelhover.org/2
- hxxp://modelhover.org/3
- hxxp://sterrenburgvanduijn.nl/wp-content/plugins/gallery-bank/1
- hxxp://sterrenburgvanduijn.nl/wp-content/plugins/gallery-bank/2
- hxxp://sterrenburgvanduijn.nl/wp-content/plugins/gallery-bank/3
- hxxp://www.nationejobs.com/campaign/1
- hxxp://www.nationejobs.com/campaign/2
- hxxp://www.nationejobs.com/campaign/3
- butenrestold.com
- hadrecrolof.ru
- goonronto.ru
- aningtorsfave.com
EMAILS
Shown above: Screenshot from one of the emails.
EMAIL HEADERS:
- Received: from ironrockcc.com ([168.111.104.153]
- Date/Time: Monday 2017-12-11 at 16:54 UTC
- Subject: New incoming fax from 1-610-378-2367 on Mon, 11 Dec 2017 11:54:49 -0500
- From (spoofed): "eFax.com" <efax@ironrockcc.com>
Shown above: Clicking on link from the email.
Shown above: Malicious Word document from link in the malspam.
TRAFFIC
Shown above: Traffic from an infection filtered in Wireshark.
DOMAINS FROM LINKS IN THE EMAILS TO THE WORD DOCUMENT:
- hxxp://agelessbuy.com/?[encoded string]=[encoded string representing recipient's email address]
- hxxp://agelessshow.com/?[encoded string]=[encoded string representing recipient's email address]
- hxxp://beautyandthearts.org/?[encoded string]=[encoded string representing recipient's email address]
- hxxp://buyoesh.com/?[encoded string]=[encoded string representing recipient's email address]
- hxxp://iaaaward.com/?[encoded string]=[encoded string representing recipient's email address]
- hxxp://iaapublishing.com/?[encoded string]=[encoded string representing recipient's email address]
- hxxp://iaasavesthearts.com/?[encoded string]=[encoded string representing recipient's email address]
- hxxp://oesh.org/?[encoded string]=[encoded string representing recipient's email address]
- hxxp://oeshshoes.com/?[encoded string]=[encoded string representing recipient's email address]
- hxxp://oeshshoes.net/?[encoded string]=[encoded string representing recipient's email address]
- hxxp://wearoesh.com/?[encoded string]=[encoded string representing recipient's email address]
NETWORK TRAFFIC FROM MY INFECTED LAB HOST:
- 92.53.87.50 port 80 - agelessshow.com - GET /?[encoded string]=[encoded string representing recipient's email address]
- api.ipify.org - GET / [IP address check by the infected Windows host]
- 217.197.116.29 port 80 - butenrestold.com - POST /ls5/forum.php
- 217.197.116.29 port 80 - butenrestold.com - POST /mlu/forum.php
- 217.197.116.29 port 80 - butenrestold.com - POST /d2/about.php
- 91.142.253.85 port 80 - sterrenburgvanduijn.nl - GET /wp-content/plugins/gallery-bank/1
- 91.142.253.85 port 80 - sterrenburgvanduijn.nl - GET /wp-content/plugins/gallery-bank/2
- 91.142.253.85 port 80 - sterrenburgvanduijn.nl - GET /wp-content/plugins/gallery-bank/3
- 202.60.199.201 port 80 - www.nationejobs.com - GET /campaign/1
- 202.60.199.201 port 80 - www.nationejobs.com - GET /campaign/2
- 202.60.199.201 port 80 - www.nationejobs.com - GET /campaign/3
- 79.170.40.178 port 80 - modelhover.org - GET /1
- 79.170.40.178 port 80 - modelhover.org - GET /2
- 79.170.40.178 port 80 - modelhover.org - GET /3
- 217.29.53.132 port 443 - aningtorsfave.com - HTTPS/SSL/TLS traffic associated with Zeus Panda Banker
FILE HASHES
MALWARE RETRIEVED FROM THE INFECTED HOST:
- SHA256 hash: 4bef47068c1d5f8bbea0662a31df9a1a7ecfef2448f0b2eb9acdb502be210c3d
File size: 240,128 bytes
File name: eFax_[6 random digits].doc
File description: Word document with macro for Hancitor
- SHA256 hash: 05e7b5f18cf8ca0d672121b879d5b7ad2e854f8b6052f9e5b8f60ad4a3daa808
File size: 152,064 bytes
File location: C:\Users\[username]\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\Internet Explorer.exe
File description: Zeus Panda Banker Trojan
IMAGES
Shown above: Zeus Panda Banker persistent on the infected Windows host.
FINAL NOTES
Once again, here are the associated files:
- Zip archive of the pcap: 2017-12-11-Hancitor-malspam-traffic.pcap.zip 1.8 MB (1,801,521 bytes)
- Zip archive of the email: 2017-12-11-Hancitor-malspam-1654-UTC.eml.zip 1.1 kB (1,077 bytes)
- Zip archive of the malware: 2017-12-11-malware-from-Hancitor-malspam.zip 215 kB (214,894 bytes)
Zip archives are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.